NodeJS/npm/8.0.0

a package manager for JavaScript

https://www.npmjs.com/package/npm
Artistic-2.0

1 Security Vulnerabilities

Packing does not respect root-level ignore files in workspaces

Published date: 2022-06-02T15:37:27Z
CVE: CVE-2022-29244
Links:

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

  • Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
  • Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

  1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
  2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
  3. If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. Keeping files out of your Package) 3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed ### References
  4. CVE-2022-29244
  5. npm-packlist
  6. libnpmpack
  7. libnpmpublish

Affected versions: ["7.9.0", "7.10.0", "7.11.0", "7.11.1", "7.11.2", "7.12.0", "7.12.1", "7.13.0", "7.14.0", "7.15.0", "7.15.1", "7.16.0", "7.17.0", "7.18.0", "7.18.1", "7.19.0", "7.19.1", "7.20.0", "7.20.1", "7.20.2", "7.20.3", "7.20.4", "7.20.5", "7.20.6", "7.21.0", "7.21.1", "7.22.0", "7.23.0", "7.24.0", "7.24.1", "7.24.2", "8.0.0", "8.1.0", "8.1.1", "8.1.2", "8.1.3", "8.1.4", "8.2.0", "8.3.0", "8.3.1", "8.3.2", "8.4.0", "8.4.1", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.5.4", "8.5.5", "8.6.0", "8.7.0", "8.8.0", "8.9.0", "8.10.0"]
Secure versions: [6.14.6, 6.14.7, 7.0.0-beta.0, 7.0.0-beta.1, 7.0.0-beta.2, 7.0.0-beta.3, 7.0.0-beta.4, 6.14.8, 7.0.0-beta.5, 7.0.0-beta.6, 7.0.0-beta.7, 7.0.0-beta.8, 7.0.0-beta.9, 7.0.0-beta.10, 7.0.0-beta.11, 7.0.0-beta.12, 7.0.0-beta.13, 7.0.0-rc.0, 7.0.0-rc.1, 7.0.0-rc.2, 7.0.0-rc.3, 7.0.0-rc.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 6.14.9, 7.0.14, 7.0.15, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 6.14.10, 7.3.0, 7.4.0, 6.14.11, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 6.14.12, 7.7.5, 7.7.6, 7.8.0, 6.14.13, 6.14.14, 6.14.15, 6.14.16, 6.14.17, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.15.1, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.19.1, 9.0.0-pre.0, 8.19.2, 9.0.0-pre.1, 9.0.0-pre.2, 9.0.0-pre.3, 9.0.0-pre.4, 9.0.0-pre.5, 9.0.0-pre.6, 9.0.0, 9.0.1, 9.1.0, 8.19.3, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 6.14.18, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 8.19.4, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.7.0, 9.7.1, 9.7.2, 9.8.0, 9.8.1, 10.0.0-pre.0, 10.0.0-pre.1, 10.0.0, 10.1.0, 10.2.0, 9.9.0, 10.2.1, 10.2.2, 10.2.3, 9.9.1, 9.9.2, 10.2.4, 10.2.5, 10.3.0, 10.4.0, 9.9.3, 10.5.0, 10.5.1, 10.5.2, 10.6.0, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0]
Recommendation: Update to version 10.9.0.

553 Other Versions

Version License Security Released
10.9.0 Artistic-2.0 2024-10-03 - 17:54 28 days
10.8.3 Artistic-2.0 2024-08-28 - 20:17 2 months
10.8.2 Artistic-2.0 2024-07-10 - 17:06 4 months
10.8.1 Artistic-2.0 2024-05-29 - 20:55 5 months
10.8.0 Artistic-2.0 2024-05-15 - 22:23 6 months
10.7.0 Artistic-2.0 2024-04-30 - 21:59 6 months
10.6.0 Artistic-2.0 2024-04-25 - 17:28 6 months
10.5.2 Artistic-2.0 2024-04-10 - 20:19 7 months
10.5.1 Artistic-2.0 2024-04-03 - 14:46 7 months
10.5.0 Artistic-2.0 2024-02-28 - 17:55 8 months
10.4.0 Artistic-2.0 2024-01-24 - 21:39 9 months
10.3.0 Artistic-2.0 2024-01-10 - 20:40 10 months
10.2.5 Artistic-2.0 2023-12-06 - 22:04 11 months
10.2.4 Artistic-2.0 2023-11-15 - 21:35 12 months
10.2.3 Artistic-2.0 2023-11-02 - 19:52 12 months
10.2.2 Artistic-2.0 2023-10-31 - 17:44 about 1 year
10.2.1 Artistic-2.0 2023-10-18 - 20:29 about 1 year
10.2.0 Artistic-2.0 2023-10-03 - 15:56 about 1 year
10.1.0 Artistic-2.0 2023-09-08 - 23:21 about 1 year
10.0.0 Artistic-2.0 2023-08-31 - 20:45 about 1 year
10.0.0-pre.1 Artistic-2.0 2023-08-31 - 19:01 about 1 year
10.0.0-pre.0 Artistic-2.0 2023-07-26 - 22:18 over 1 year
9.9.3 Artistic-2.0 2024-02-28 - 17:21 8 months
9.9.2 Artistic-2.0 2023-11-15 - 21:29 12 months
9.9.1 Artistic-2.0 2023-11-07 - 21:01 12 months
9.9.0 Artistic-2.0 2023-10-06 - 19:55 about 1 year
9.8.1 Artistic-2.0 2023-07-19 - 17:15 over 1 year
9.8.0 Artistic-2.0 2023-07-05 - 20:25 over 1 year
9.7.2 Artistic-2.0 2023-06-21 - 18:09 over 1 year
9.7.1 Artistic-2.0 2023-06-07 - 15:38 over 1 year
9.7.0 Artistic-2.0 2023-05-31 - 21:18 over 1 year
9.6.7 Artistic-2.0 2023-05-18 - 13:56 over 1 year
9.6.6 Artistic-2.0 2023-05-03 - 20:01 over 1 year
9.6.5 Artistic-2.0 2023-04-19 - 21:52 over 1 year
9.6.4 Artistic-2.0 2023-04-05 - 19:54 over 1 year
9.6.3 Artistic-2.0 2023-03-30 - 20:17 over 1 year
9.6.2 Artistic-2.0 2023-03-15 - 16:31 over 1 year
9.6.1 Artistic-2.0 2023-03-08 - 19:12 over 1 year
9.6.0 Artistic-2.0 2023-03-02 - 09:15 over 1 year
9.5.1 Artistic-2.0 2023-02-22 - 18:58 over 1 year
9.5.0 Artistic-2.0 2023-02-15 - 16:39 over 1 year
9.4.2 Artistic-2.0 2023-02-07 - 20:51 over 1 year
9.4.1 Artistic-2.0 2023-02-02 - 04:17 over 1 year
9.4.0 Artistic-2.0 2023-01-25 - 21:26 almost 2 years
9.3.1 Artistic-2.0 2023-01-17 - 17:27 almost 2 years
9.3.0 Artistic-2.0 2023-01-12 - 20:31 almost 2 years
9.2.0 Artistic-2.0 2022-12-07 - 23:11 almost 2 years
9.1.3 Artistic-2.0 2022-11-30 - 23:38 almost 2 years
9.1.2 Artistic-2.0 2022-11-16 - 21:04 almost 2 years
9.1.1 Artistic-2.0 2022-11-09 - 21:32 almost 2 years
9.1.0 Artistic-2.0 2022-11-02 - 18:24 almost 2 years
9.0.1 Artistic-2.0 2022-10-26 - 21:44 about 2 years
9.0.0 Artistic-2.0 2022-10-19 - 22:00 about 2 years
9.0.0-pre.6 Artistic-2.0 2022-10-19 - 20:48 about 2 years
9.0.0-pre.5 Artistic-2.0 2022-10-13 - 17:21 about 2 years
9.0.0-pre.4 Artistic-2.0 2022-10-05 - 20:30 about 2 years
9.0.0-pre.3 Artistic-2.0 2022-09-30 - 02:54 about 2 years
9.0.0-pre.2 Artistic-2.0 2022-09-23 - 05:59 about 2 years
9.0.0-pre.1 Artistic-2.0 2022-09-14 - 23:47 about 2 years
9.0.0-pre.0 Artistic-2.0 2022-09-12 - 15:40 about 2 years
8.19.4 Artistic-2.0 2023-02-14 - 17:56 over 1 year
8.19.3 Artistic-2.0 2022-11-03 - 21:17 almost 2 years
8.19.2 Artistic-2.0 2022-09-13 - 23:10 about 2 years
8.19.1 Artistic-2.0 2022-09-01 - 22:40 about 2 years
8.19.0 Artistic-2.0 2022-08-31 - 22:52 about 2 years
8.18.0 Artistic-2.0 2022-08-17 - 20:29 about 2 years
8.17.0 Artistic-2.0 2022-08-10 - 18:35 about 2 years
8.16.0 Artistic-2.0 2022-08-03 - 16:18 about 2 years
8.15.1 Artistic-2.0 2022-07-27 - 22:51 over 2 years
8.15.0 Artistic-2.0 2022-07-20 - 22:08 over 2 years
8.14.0 Artistic-2.0 2022-07-13 - 17:51 over 2 years
8.13.2 Artistic-2.0 2022-06-29 - 22:58 over 2 years
8.13.1 Artistic-2.0 2022-06-23 - 20:52 over 2 years
8.13.0 Artistic-2.0 2022-06-22 - 22:22 over 2 years
8.12.2 Artistic-2.0 2022-06-15 - 20:12 over 2 years
8.12.1 Artistic-2.0 2022-06-02 - 17:52 over 2 years
8.12.0 Artistic-2.0 2022-06-01 - 22:03 over 2 years
8.11.0 Artistic-2.0 2022-05-25 - 21:08 over 2 years
8.10.0 Artistic-2.0 1 2022-05-11 - 17:04 over 2 years
8.9.0 Artistic-2.0 1 2022-05-04 - 16:54 over 2 years
8.8.0 Artistic-2.0 1 2022-04-27 - 14:51 over 2 years
8.7.0 Artistic-2.0 1 2022-04-14 - 18:48 over 2 years
8.6.0 Artistic-2.0 1 2022-03-31 - 22:35 over 2 years
8.5.5 Artistic-2.0 1 2022-03-17 - 20:12 over 2 years
8.5.4 Artistic-2.0 1 2022-03-10 - 18:53 over 2 years
8.5.3 Artistic-2.0 1 2022-03-03 - 21:29 over 2 years
8.5.2 Artistic-2.0 1 2022-02-24 - 21:22 over 2 years
8.5.1 Artistic-2.0 1 2022-02-17 - 21:35 over 2 years
8.5.0 Artistic-2.0 1 2022-02-10 - 21:36 over 2 years
8.4.1 Artistic-2.0 1 2022-02-03 - 20:13 over 2 years
8.4.0 Artistic-2.0 1 2022-01-27 - 21:09 almost 3 years
8.3.2 Artistic-2.0 1 2022-01-20 - 22:01 almost 3 years
8.3.1 Artistic-2.0 1 2022-01-13 - 20:34 almost 3 years
8.3.0 Artistic-2.0 1 2021-12-09 - 21:15 almost 3 years
8.2.0 Artistic-2.0 1 2021-12-02 - 21:55 almost 3 years
8.1.4 Artistic-2.0 1 2021-11-18 - 20:46 almost 3 years
8.1.3 Artistic-2.0 1 2021-11-04 - 20:35 almost 3 years
8.1.2 Artistic-2.0 1 2021-10-28 - 19:53 about 3 years
8.1.1 Artistic-2.0 1 2021-10-21 - 19:29 about 3 years
8.1.0 Artistic-2.0 1 2021-10-14 - 22:10 about 3 years