npm packing does not respect root-level ignore files in workspaces
CVE-2022-29244

7.5HIGH

Key Information:

Vendor

Npm

Status
Npm
Vendor
CVE Published:
13 June 2022

What is CVE-2022-29244?

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Affected Version(s)

npm 7.9.0 < 7.9.0*

npm 8.11.0

References

https://github.com/npm/cli/security/advisories/GHSA-hj9c-...
x_refsource_MISC
https://github.com/npm/npm-packlist
x_refsource_MISC
https://github.com/npm/cli/tree/latest/workspaces/libnpmp...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.