NodeJS/npm/7.20.1

a package manager for JavaScript

https://www.npmjs.com/package/npm
Artistic-2.0

2 Security Vulnerabilities

npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Published date: 2026-01-23T06:31:24Z
CVE: CVE-2026-0775
Links:

npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.

Affected versions: ["11.8.0", "11.7.0", "11.6.4", "11.6.3", "11.6.2", "11.6.1", "11.6.0", "11.5.2", "11.5.1", "11.5.0", "11.4.2", "11.4.1", "11.4.0", "11.3.0", "11.2.0", "11.1.0", "11.0.0", "11.0.0-pre.1", "11.0.0-pre.0", "10.9.4", "10.9.3", "10.9.2", "10.9.1", "10.9.0", "10.8.3", "10.8.2", "10.8.1", "10.8.0", "10.7.0", "10.6.0", "10.5.2", "10.5.1", "10.5.0", "10.4.0", "10.3.0", "10.2.5", "10.2.4", "10.2.3", "10.2.2", "10.2.1", "10.2.0", "10.1.0", "10.0.0", "10.0.0-pre.1", "10.0.0-pre.0", "9.9.4", "9.9.3", "9.9.2", "9.9.1", "9.9.0", "9.8.1", "9.8.0", "9.7.2", "9.7.1", "9.7.0", "9.6.7", "9.6.6", "9.6.5", "9.6.4", "9.6.3", "9.6.2", "9.6.1", "9.6.0", "9.5.1", "9.5.0", "9.4.2", "9.4.1", "9.4.0", "9.3.1", "9.3.0", "9.2.0", "9.1.3", "9.1.2", "9.1.1", "9.1.0", "9.0.1", "9.0.0", "9.0.0-pre.6", "9.0.0-pre.5", "9.0.0-pre.4", "9.0.0-pre.3", "9.0.0-pre.2", "9.0.0-pre.1", "9.0.0-pre.0", "8.19.4", "8.19.3", "8.19.2", "8.19.1", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.1", "8.15.0", "8.14.0", "8.13.2", "8.13.1", "8.13.0", "8.12.2", "8.12.1", "8.12.0", "8.11.0", "8.10.0", "8.9.0", "8.8.0", "8.7.0", "8.6.0", "8.5.5", "8.5.4", "8.5.3", "8.5.2", "8.5.1", "8.5.0", "8.4.1", "8.4.0", "8.3.2", "8.3.1", "8.3.0", "8.2.0", "8.1.4", "8.1.3", "8.1.2", "8.1.1", "8.1.0", "8.0.0", "7.24.2", "7.24.1", "7.24.0", "7.23.0", "7.22.0", "7.21.1", "7.21.0", "7.20.6", "7.20.5", "7.20.4", "7.20.3", "7.20.2", "7.20.1", "7.20.0", "7.19.1", "7.19.0", "7.18.1", "7.18.0", "7.17.0", "7.16.0", "7.15.1", "7.15.0", "7.14.0", "7.13.0", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.0", "7.9.0", "7.8.0", "7.7.6", "7.7.5", "7.7.4", "7.7.3", "7.7.2", "7.7.1", "7.7.0", "7.6.3", "7.6.2", "7.6.1", "7.6.0", "7.5.6", "7.5.5", "7.5.4", "7.5.3", "7.5.2", "7.5.1", "7.5.0", "7.4.3", "7.4.2", "7.4.1", "7.4.0", "7.3.0", "7.2.0", "7.1.2", "7.1.1", "7.1.0", "7.0.15", "7.0.14", "7.0.13", "7.0.12", "7.0.11", "7.0.10", "7.0.9", "7.0.8", "7.0.7", "7.0.6", "7.0.5", "7.0.4", "7.0.3", "7.0.2", "7.0.1", "7.0.0", "7.0.0-rc.4", "7.0.0-rc.3", "7.0.0-rc.2", "7.0.0-rc.1", "7.0.0-rc.0", "7.0.0-beta.13", "7.0.0-beta.12", "7.0.0-beta.11", "7.0.0-beta.10", "7.0.0-beta.9", "7.0.0-beta.8", "7.0.0-beta.7", "7.0.0-beta.6", "7.0.0-beta.5", "7.0.0-beta.4", "7.0.0-beta.3", "7.0.0-beta.2", "7.0.0-beta.1", "7.0.0-beta.0", "6.14.18", "6.14.17", "6.14.16", "6.14.15", "6.14.14", "6.14.13", "6.14.12", "6.14.11", "6.14.10", "6.14.9", "6.14.8", "6.14.7", "6.14.6", "6.14.5", "6.14.4", "6.14.3", "6.14.2", "6.14.1", "6.14.0", "6.13.7", "6.13.6", "6.13.5", "6.13.4", "6.13.3", "6.13.2", "6.13.1", "6.13.0", "6.12.1", "6.12.0", "6.12.0-next.0", "6.11.3", "6.11.2", "6.11.1", "6.11.0", "6.10.3", "6.10.2", "6.10.2-next.3", "6.10.2-next.2", "6.10.2-next.1", "6.10.2-next.0", "6.10.1", "6.10.1-next.2", "6.10.1-next.1", "6.10.1-next.0", "6.10.0", "6.10.0-next.0", "6.9.2", "6.9.1-next.0", "6.9.0", "6.9.0-next.0", "6.8.0", "6.8.0-next.2", "6.8.0-next.1", "6.8.0-next.0", "6.7.0", "6.6.0", "6.6.0-next.1", "6.6.0-next.0", "6.5.0", "6.5.0-next.0", "6.4.1", "6.4.1-next.0", "6.4.0", "6.4.0-next.0", "6.3.0", "6.3.0-next.0", "6.2.0", "6.2.0-next.1", "6.2.0-next.0", "6.1.0", "6.1.0-next.0", "6.0.1", "6.0.1-next.0", "6.0.0", "6.0.0-next.2", "6.0.0-next.1", "6.0.0-next.0", "5.10.0", "5.10.0-next.1", "5.10.0-next.0", "5.9.0-next.0", "5.8.0", "5.8.0-next.0", "5.7.1", "5.7.0", "5.6.0", "5.5.1", "5.5.0", "5.4.2", "5.4.1", "5.4.0", "5.3.0", "5.2.0", "5.1.0", "5.0.4", "5.0.3", "5.0.2", "5.0.1", "5.0.0", "4.6.1", "4.6.0", "4.5.0", "4.4.4", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.0", "4.1.2", "4.1.1", "4.1.0", "4.0.5", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "3.10.10", "3.10.9", "3.10.8", "3.10.7", "3.10.6", "3.10.5", "3.10.4", "3.10.3", "3.10.2", "3.10.1", "3.10.0", "3.9.6", "3.9.5", "3.9.4", "3.9.3", "3.9.2", "3.9.1", "3.9.0", "3.8.9", "3.8.8", "3.8.7", "3.8.6", "3.8.5", "3.8.4", "3.8.3", "3.8.2", "3.8.1", "3.8.0", "3.7.5", "3.7.4", "3.7.3", "3.7.2", "3.7.1", "3.7.0", "3.6.0", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.5.0", "3.4.1", "3.4.0", "3.3.12", "3.3.11", "3.3.10", "3.3.9", "3.3.8", "3.3.7", "3.3.6", "3.3.5", "3.3.4", "3.3.3", "3.3.2", "3.3.1", "3.3.0", "3.2.2", "3.2.1", "3.2.0", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.0", "2.15.12", "2.15.11", "2.15.10", "2.15.9", "2.15.8", "2.15.7", "2.15.6", "2.15.5", "2.15.4", "2.15.3", "2.15.2", "2.15.1", "2.15.0", "2.14.22", "2.14.21", "2.14.20", "2.14.19", "2.14.18", "2.14.17", "2.14.16", "2.14.15", "2.14.14", "2.14.13", "2.14.12", "2.14.11", "2.14.10", "2.14.9", "2.14.8", "2.14.7", "2.14.6", "2.14.5", "2.14.4", "2.14.3", "2.14.2", "2.14.1", "2.14.0", "2.13.5", "2.13.4", "2.13.3", "2.13.2", "2.13.1", "2.13.0", "2.12.1", "2.12.0", "2.11.3", "2.11.2", "2.11.1", "2.11.0", "2.10.1", "2.10.0", "2.9.1", "2.9.0", "2.8.4", "2.8.3", "2.8.2", "2.8.1", "2.8.0", "2.7.6", "2.7.5", "2.7.4", "2.7.3", "2.7.2", "2.7.1", "2.7.0", "2.6.1", "2.6.0", "2.5.1", "2.5.0", "2.4.1", "2.4.0", "2.3.0", "2.2.0", "2.1.18", "2.1.17", "2.1.16", "2.1.15", "2.1.14", "2.1.13", "2.1.12", "2.1.11", "2.1.10", "2.1.9", "2.1.8", "2.1.7", "2.1.6", "2.1.5", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1.0", "2.0.2", "2.0.1", "2.0.0", "2.0.0-beta.3", "2.0.0-beta.2", "2.0.0-beta.1", "2.0.0-beta.0", "2.0.0-alpha.7", "2.0.0-alpha.6", "2.0.0-alpha.6.0", "2.0.0-alpha-5", "1.2.8000", "1.5.0-alpha-3", "1.5.0-alpha-4", "1.5.0-alpha-0", "1.5.0-alpha-2", "1.5.0-alpha-1", "1.4.29", "1.4.28", "1.4.27", "1.4.26", "1.4.25", "1.4.24", "1.4.23", "1.4.22", "1.4.21", "1.4.20", "1.4.19", "1.4.18", "1.4.17", "1.4.16", "1.4.15", "1.4.14", "1.4.13", "1.4.12", "1.4.11", "1.4.10", "1.4.9", "1.4.8", "1.4.7", "1.4.6", "1.4.5", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.26", "1.3.25", "1.3.24", "1.3.23", "1.3.22", "1.3.21", "1.3.20", "1.3.18", "1.3.17", "1.3.16", "1.3.15", "1.3.14", "1.3.13", "1.3.12", "1.3.11", "1.3.10", "1.3.9", "1.3.8", "1.3.7", "1.3.6", "1.3.5", "1.3.4", "1.3.2", "1.3.1", "1.3.0", "1.2.32", "1.2.31", "1.2.30", "1.2.28", "1.2.27", "1.2.25", "1.2.24", "1.2.23", "1.2.22", "1.2.21", "1.2.20", "1.2.19", "1.1.71", "1.1.70", "1.1.25"]
Secure versions: []

Packing does not respect root-level ignore files in workspaces

Published date: 2022-06-02T15:37:27Z
CVE: CVE-2022-29244
Links:

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

  • Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
  • Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

  1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
  2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
  3. If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. Keeping files out of your Package) 3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed ### References
  4. CVE-2022-29244
  5. npm-packlist
  6. libnpmpack
  7. libnpmpublish

Affected versions: ["8.10.0", "8.9.0", "8.8.0", "8.7.0", "8.6.0", "8.5.5", "8.5.4", "8.5.3", "8.5.2", "8.5.1", "8.5.0", "8.4.1", "8.4.0", "8.3.2", "8.3.1", "8.3.0", "8.2.0", "8.1.4", "8.1.3", "8.1.2", "8.1.1", "8.1.0", "8.0.0", "7.24.2", "7.24.1", "7.24.0", "7.23.0", "7.22.0", "7.21.1", "7.21.0", "7.20.6", "7.20.5", "7.20.4", "7.20.3", "7.20.2", "7.20.1", "7.20.0", "7.19.1", "7.19.0", "7.18.1", "7.18.0", "7.17.0", "7.16.0", "7.15.1", "7.15.0", "7.14.0", "7.13.0", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.0", "7.9.0"]
Secure versions: []

577 Other Versions

Version License Security Released
7.0.0-rc.4 Artistic-2.0 1 2020-10-09 - 18:51 over 5 years
7.0.0-rc.3 Artistic-2.0 1 2020-10-06 - 18:58 over 5 years
7.0.0-rc.2 Artistic-2.0 1 2020-10-02 - 23:59 over 5 years
7.0.0-rc.1 Artistic-2.0 1 2020-10-02 - 21:23 over 5 years
7.0.0-rc.0 Artistic-2.0 1 2020-10-01 - 14:45 over 5 years
7.0.0-beta.13 Artistic-2.0 1 2020-09-29 - 18:59 over 5 years
7.0.0-beta.12 Artistic-2.0 1 2020-09-22 - 19:03 over 5 years
7.0.0-beta.11 Artistic-2.0 1 2020-09-16 - 16:01 over 5 years
7.0.0-beta.10 Artistic-2.0 1 2020-09-08 - 17:32 over 5 years
7.0.0-beta.9 Artistic-2.0 1 2020-09-04 - 19:18 over 5 years
7.0.0-beta.8 Artistic-2.0 1 2020-09-01 - 19:25 over 5 years
7.0.0-beta.7 Artistic-2.0 1 2020-08-25 - 18:53 over 5 years
7.0.0-beta.6 Artistic-2.0 1 2020-08-21 - 18:48 over 5 years
7.0.0-beta.5 Artistic-2.0 1 2020-08-18 - 19:08 over 5 years
7.0.0-beta.4 Artistic-2.0 1 2020-08-11 - 16:06 over 5 years
7.0.0-beta.3 Artistic-2.0 1 2020-08-10 - 21:50 over 5 years
7.0.0-beta.2 Artistic-2.0 1 2020-08-07 - 18:38 over 5 years
7.0.0-beta.1 Artistic-2.0 1 2020-08-05 - 19:26 over 5 years
7.0.0-beta.0 Artistic-2.0 1 2020-08-04 - 20:09 over 5 years
6.14.18 Artistic-2.0 1 2022-12-21 - 20:27 about 3 years
6.14.17 Artistic-2.0 1 2022-04-28 - 20:38 almost 4 years
6.14.16 Artistic-2.0 1 2022-01-19 - 20:41 about 4 years
6.14.15 Artistic-2.0 1 2021-08-24 - 02:53 over 4 years
6.14.14 Artistic-2.0 1 2021-07-27 - 19:19 over 4 years
6.14.13 Artistic-2.0 1 2021-04-12 - 15:16 almost 5 years
6.14.12 Artistic-2.0 1 2021-03-25 - 21:19 almost 5 years
6.14.11 Artistic-2.0 1 2021-01-08 - 02:20 about 5 years
6.14.10 Artistic-2.0 1 2020-12-18 - 19:37 about 5 years
6.14.9 Artistic-2.0 1 2020-11-20 - 20:49 about 5 years
6.14.8 Artistic-2.0 1 2020-08-17 - 20:50 over 5 years
6.14.7 Artistic-2.0 1 2020-07-21 - 20:19 over 5 years
6.14.6 Artistic-2.0 1 2020-07-07 - 17:14 over 5 years
6.14.5 Artistic-2.0 2 2020-05-04 - 16:46 almost 6 years
6.14.4 Artistic-2.0 2 2020-03-25 - 15:46 almost 6 years
6.14.3 Artistic-2.0 2 2020-03-19 - 15:11 almost 6 years
6.14.2 Artistic-2.0 2 2020-03-03 - 18:36 almost 6 years
6.14.1 Artistic-2.0 2 2020-02-27 - 00:40 almost 6 years
6.14.0 Artistic-2.0 2 2020-02-25 - 19:07 almost 6 years
6.13.7 Artistic-2.0 2 2020-01-28 - 19:09 about 6 years
6.13.6 Artistic-2.0 2 2020-01-09 - 23:00 about 6 years
6.13.5 Artistic-2.0 2 2020-01-09 - 21:14 about 6 years
6.13.4 Artistic-2.0 2 2019-12-11 - 19:05 about 6 years
6.13.3 Artistic-2.0 3 2019-12-10 - 01:31 about 6 years
6.13.2 Artistic-2.0 5 2019-12-03 - 17:55 about 6 years
6.13.1 Artistic-2.0 5 2019-11-18 - 18:46 about 6 years
6.13.0 Artistic-2.0 5 2019-11-05 - 19:47 over 6 years
6.12.1 Artistic-2.0 5 2019-10-29 - 16:48 over 6 years
6.12.0 Artistic-2.0 5 2019-10-08 - 15:43 over 6 years
6.12.0-next.0 Artistic-2.0 5 2019-09-26 - 19:06 over 6 years
6.11.3 Artistic-2.0 5 2019-09-03 - 22:18 over 6 years