NodeJS/npm/7.10.0
a package manager for JavaScript
https://www.npmjs.com/package/npm
Artistic-2.0
1 Security Vulnerabilities
Packing does not respect root-level ignore files in workspaces
Published date: 2022-06-02T15:37:27Z
CVE: CVE-2022-29244
Links:
- https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
- https://github.com/nodejs/node/releases/tag/v16.15.1
- https://github.com/nodejs/node/releases/tag/v17.9.1
- https://github.com/nodejs/node/releases/tag/v18.3.0
- https://github.com/npm/cli/releases/tag/v8.11.0
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
- https://github.com/npm/npm-packlist
- https://github.com/advisories/GHSA-hj9c-8jmm-8c52
- https://nvd.nist.gov/vuln/detail/CVE-2022-29244
- https://github.com/nodejs/node/pull/43210
- https://security.netapp.com/advisory/ntap-20220722-0007/
Impact
npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
- Upgrade to the latest, patched version of
npm(v8.11.0or greater), run:npm i -g npm@latest - Node.js versions
v16.15.1,v17.19.1&v18.3.0include the patchedv8.11.0version ofnpm
Steps to take to see if you're impacted
- Run
npm publish --dry-runornpm packwith annpmversion>=7.9.0&<8.11.0inside the project's root directory using a workspace flag like:--workspacesor--workspace=<name>(ex.npm pack --workspace=foo) - Check the output in your terminal which will list the package contents (note:
tar -tvf <package-on-disk>also works) - If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref.
Keeping files out of your Package
) 3.2. Deprecate the old package (ex.npm deprecate <pkg>[@<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed ### References - CVE-2022-29244
npm-packlistlibnpmpacklibnpmpublish
Affected versions:
["7.9.0", "7.10.0", "7.11.0", "7.11.1", "7.11.2", "7.12.0", "7.12.1", "7.13.0", "7.14.0", "7.15.0", "7.15.1", "7.16.0", "7.17.0", "7.18.0", "7.18.1", "7.19.0", "7.19.1", "7.20.0", "7.20.1", "7.20.2", "7.20.3", "7.20.4", "7.20.5", "7.20.6", "7.21.0", "7.21.1", "7.22.0", "7.23.0", "7.24.0", "7.24.1", "7.24.2", "8.0.0", "8.1.0", "8.1.1", "8.1.2", "8.1.3", "8.1.4", "8.2.0", "8.3.0", "8.3.1", "8.3.2", "8.4.0", "8.4.1", "8.5.0", "8.5.1", "8.5.2", "8.5.3", "8.5.4", "8.5.5", "8.6.0", "8.7.0", "8.8.0", "8.9.0", "8.10.0"]
Secure versions:
[6.14.6, 6.14.7, 7.0.0-beta.0, 7.0.0-beta.1, 7.0.0-beta.2, 7.0.0-beta.3, 7.0.0-beta.4, 6.14.8, 7.0.0-beta.5, 7.0.0-beta.6, 7.0.0-beta.7, 7.0.0-beta.8, 7.0.0-beta.9, 7.0.0-beta.10, 7.0.0-beta.11, 7.0.0-beta.12, 7.0.0-beta.13, 7.0.0-rc.0, 7.0.0-rc.1, 7.0.0-rc.2, 7.0.0-rc.3, 7.0.0-rc.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 6.14.9, 7.0.14, 7.0.15, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 6.14.10, 7.3.0, 7.4.0, 6.14.11, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 6.14.12, 7.7.5, 7.7.6, 7.8.0, 6.14.13, 6.14.14, 6.14.15, 6.14.16, 6.14.17, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.15.1, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.19.1, 9.0.0-pre.0, 8.19.2, 9.0.0-pre.1, 9.0.0-pre.2, 9.0.0-pre.3, 9.0.0-pre.4, 9.0.0-pre.5, 9.0.0-pre.6, 9.0.0, 9.0.1, 9.1.0, 8.19.3, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 6.14.18, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 8.19.4, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.7.0, 9.7.1, 9.7.2, 9.8.0, 9.8.1, 10.0.0-pre.0, 10.0.0-pre.1, 10.0.0, 10.1.0, 10.2.0, 9.9.0, 10.2.1, 10.2.2, 10.2.3, 9.9.1, 9.9.2, 10.2.4, 10.2.5, 10.3.0, 10.4.0, 9.9.3, 10.5.0, 10.5.1, 10.5.2, 10.6.0, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0]
Recommendation:
Update to version 10.9.0.
553 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 6.14.13 | Artistic-2.0 | 2021-04-12 - 15:16 | over 3 years | |
| 6.14.12 | Artistic-2.0 | 2021-03-25 - 21:19 | over 3 years | |
| 6.14.11 | Artistic-2.0 | 2021-01-08 - 02:20 | almost 4 years | |
| 6.14.10 | Artistic-2.0 | 2020-12-18 - 19:37 | almost 4 years | |
| 6.14.9 | Artistic-2.0 | 2020-11-20 - 20:49 | almost 4 years | |
| 6.14.8 | Artistic-2.0 | 2020-08-17 - 20:50 | about 4 years | |
| 6.14.7 | Artistic-2.0 | 2020-07-21 - 20:19 | over 4 years | |
| 6.14.6 | Artistic-2.0 | 2020-07-07 - 17:14 | over 4 years | |
| 6.14.5 | Artistic-2.0 | 1 | 2020-05-04 - 16:46 | over 4 years |
| 6.14.4 | Artistic-2.0 | 1 | 2020-03-25 - 15:46 | over 4 years |
| 6.14.3 | Artistic-2.0 | 1 | 2020-03-19 - 15:11 | over 4 years |
| 6.14.2 | Artistic-2.0 | 1 | 2020-03-03 - 18:36 | over 4 years |
| 6.14.1 | Artistic-2.0 | 1 | 2020-02-27 - 00:40 | over 4 years |
| 6.14.0 | Artistic-2.0 | 1 | 2020-02-25 - 19:07 | over 4 years |
| 6.13.7 | Artistic-2.0 | 1 | 2020-01-28 - 19:09 | almost 5 years |
| 6.13.6 | Artistic-2.0 | 1 | 2020-01-09 - 23:00 | almost 5 years |
| 6.13.5 | Artistic-2.0 | 1 | 2020-01-09 - 21:14 | almost 5 years |
| 6.13.4 | Artistic-2.0 | 1 | 2019-12-11 - 19:05 | almost 5 years |
| 6.13.3 | Artistic-2.0 | 2 | 2019-12-10 - 01:31 | almost 5 years |
| 6.13.2 | Artistic-2.0 | 4 | 2019-12-03 - 17:55 | almost 5 years |
| 6.13.1 | Artistic-2.0 | 4 | 2019-11-18 - 18:46 | almost 5 years |
| 6.13.0 | Artistic-2.0 | 4 | 2019-11-05 - 19:47 | almost 5 years |
| 6.12.1 | Artistic-2.0 | 4 | 2019-10-29 - 16:48 | about 5 years |
| 6.12.0 | Artistic-2.0 | 4 | 2019-10-08 - 15:43 | about 5 years |
| 6.12.0-next.0 | Artistic-2.0 | 4 | 2019-09-26 - 19:06 | about 5 years |
| 6.11.3 | Artistic-2.0 | 4 | 2019-09-03 - 22:18 | about 5 years |
| 6.11.2 | Artistic-2.0 | 4 | 2019-08-22 - 19:01 | about 5 years |
| 6.11.1 | Artistic-2.0 | 4 | 2019-08-21 - 00:17 | about 5 years |
| 6.11.0 | Artistic-2.0 | 4 | 2019-08-20 - 18:07 | about 5 years |
| 6.10.3 | Artistic-2.0 | 4 | 2019-08-06 - 16:21 | about 5 years |
| 6.10.2 | Artistic-2.0 | 4 | 2019-07-23 - 16:28 | over 5 years |
| 6.10.2-next.3 | Artistic-2.0 | 4 | 2019-07-22 - 23:29 | over 5 years |
| 6.10.2-next.2 | Artistic-2.0 | 4 | 2019-07-21 - 22:00 | over 5 years |
| 6.10.2-next.1 | Artistic-2.0 | 4 | 2019-07-17 - 16:36 | over 5 years |
| 6.10.2-next.0 | Artistic-2.0 | 4 | 2019-07-16 - 23:51 | over 5 years |
| 6.10.1 | Artistic-2.0 | 4 | 2019-07-11 - 17:41 | over 5 years |
| 6.10.1-next.2 | Artistic-2.0 | 4 | 2019-07-10 - 22:29 | over 5 years |
| 6.10.1-next.1 | Artistic-2.0 | 4 | 2019-07-03 - 21:44 | over 5 years |
| 6.10.1-next.0 | Artistic-2.0 | 4 | 2019-07-03 - 17:45 | over 5 years |
| 6.10.0 | Artistic-2.0 | 4 | 2019-07-03 - 16:58 | over 5 years |
| 6.10.0-next.0 | Artistic-2.0 | 4 | 2019-07-01 - 18:12 | over 5 years |
| 6.9.2 | Artistic-2.0 | 4 | 2019-06-27 - 20:05 | over 5 years |
| 6.9.1-next.0 | Artistic-2.0 | 4 | 2019-03-20 - 20:58 | over 5 years |
| 6.9.0 | Artistic-2.0 | 4 | 2019-03-06 - 18:59 | over 5 years |
| 6.9.0-next.0 | Artistic-2.0 | 4 | 2019-02-21 - 00:00 | over 5 years |
| 6.8.0 | Artistic-2.0 | 4 | 2019-02-13 - 23:19 | over 5 years |
| 6.8.0-next.2 | Artistic-2.0 | 4 | 2019-02-07 - 19:38 | over 5 years |
| 6.8.0-next.1 | Artistic-2.0 | 4 | 2019-02-06 - 22:41 | over 5 years |
| 6.8.0-next.0 | Artistic-2.0 | 4 | 2019-01-31 - 20:04 | over 5 years |
| 6.7.0 | Artistic-2.0 | 4 | 2019-01-23 - 22:12 | almost 6 years |
| 6.6.0 | Artistic-2.0 | 4 | 2019-01-17 - 22:55 | almost 6 years |
| 6.6.0-next.1 | Artistic-2.0 | 4 | 2019-01-10 - 19:53 | almost 6 years |
| 6.6.0-next.0 | Artistic-2.0 | 4 | 2018-12-12 - 21:59 | almost 6 years |
| 6.5.0 | Artistic-2.0 | 4 | 2018-12-10 - 22:27 | almost 6 years |
| 6.5.0-next.0 | Artistic-2.0 | 4 | 2018-11-28 - 22:29 | almost 6 years |
| 6.4.1 | Artistic-2.0 | 4 | 2018-08-29 - 18:21 | about 6 years |
| 6.4.1-next.0 | Artistic-2.0 | 4 | 2018-08-23 - 01:27 | about 6 years |
| 6.4.0 | Artistic-2.0 | 4 | 2018-08-15 - 17:40 | about 6 years |
| 6.4.0-next.0 | Artistic-2.0 | 4 | 2018-08-09 - 04:11 | about 6 years |
| 6.3.0 | Artistic-2.0 | 4 | 2018-08-02 - 01:46 | about 6 years |
| 6.3.0-next.0 | Artistic-2.0 | 4 | 2018-07-25 - 21:19 | over 6 years |
| 6.2.0 | Artistic-2.0 | 4 | 2018-07-14 - 05:06 | over 6 years |
| 6.2.0-next.1 | Artistic-2.0 | 4 | 2018-07-05 - 18:48 | over 6 years |
| 6.2.0-next.0 | Artistic-2.0 | 4 | 2018-06-29 - 19:57 | over 6 years |
| 6.1.0 | Artistic-2.0 | 4 | 2018-05-24 - 05:28 | over 6 years |
| 6.1.0-next.0 | Artistic-2.0 | 4 | 2018-05-17 - 22:11 | over 6 years |
| 6.0.1 | Artistic-2.0 | 4 | 2018-05-10 - 04:08 | over 6 years |
| 6.0.1-next.0 | Artistic-2.0 | 4 | 2018-05-04 - 20:58 | over 6 years |
| 6.0.0 | Artistic-2.0 | 4 | 2018-04-24 - 05:48 | over 6 years |
| 6.0.0-next.2 | Artistic-2.0 | 4 | 2018-04-21 - 04:16 | over 6 years |
| 6.0.0-next.1 | Artistic-2.0 | 4 | 2018-04-13 - 21:30 | over 6 years |
| 6.0.0-next.0 | Artistic-2.0 | 4 | 2018-03-23 - 23:09 | over 6 years |
| 5.10.0 | Artistic-2.0 | 4 | 2018-05-11 - 21:26 | over 6 years |
| 5.10.0-next.1 | Artistic-2.0 | 4 | 2018-05-07 - 23:30 | over 6 years |
| 5.10.0-next.0 | Artistic-2.0 | 4 | 2018-04-13 - 21:17 | over 6 years |
| 5.9.0-next.0 | Artistic-2.0 | 4 | 2018-03-23 - 23:20 | over 6 years |
| 5.8.0 | Artistic-2.0 | 4 | 2018-03-23 - 10:07 | over 6 years |
| 5.8.0-next.0 | Artistic-2.0 | 4 | 2018-03-13 - 00:28 | over 6 years |
| 5.7.1 | Artistic-2.0 | 4 | 2018-02-22 - 17:28 | over 6 years |
| 5.7.0 | Artistic-2.0 | 5 | 2018-02-21 - 21:38 | over 6 years |
| 5.6.0 | Artistic-2.0 | 5 | 2017-11-28 - 03:40 | almost 7 years |
| 5.5.1 | Artistic-2.0 | 5 | 2017-10-04 - 16:49 | about 7 years |
| 5.5.0 | Artistic-2.0 | 5 | 2017-10-04 - 09:34 | about 7 years |
| 5.4.2 | Artistic-2.0 | 5 | 2017-09-15 - 00:49 | about 7 years |
| 5.4.1 | Artistic-2.0 | 5 | 2017-09-06 - 22:46 | about 7 years |
| 5.4.0 | Artistic-2.0 | 5 | 2017-08-23 - 01:00 | about 7 years |
| 5.3.0 | Artistic-2.0 | 5 | 2017-07-14 - 05:12 | over 7 years |
| 5.2.0 | Artistic-2.0 | 5 | 2017-07-11 - 00:48 | over 7 years |
| 5.1.0 | Artistic-2.0 | 5 | 2017-07-06 - 01:57 | over 7 years |
| 5.0.4 | Artistic-2.0 | 5 | 2017-06-26 - 18:55 | over 7 years |
| 5.0.3 | Artistic-2.0 | 5 | 2017-06-05 - 23:09 | over 7 years |
| 5.0.2 | Artistic-2.0 | 5 | 2017-06-02 - 23:46 | over 7 years |
| 5.0.1 | Artistic-2.0 | 5 | 2017-06-01 - 02:19 | over 7 years |
| 5.0.0 | Artistic-2.0 | 5 | 2017-05-26 - 03:27 | over 7 years |
| 4.6.1 | Artistic-2.0 | 5 | 2017-04-22 - 02:22 | over 7 years |
| 4.6.0 | Artistic-2.0 | 5 | 2017-04-22 - 01:14 | over 7 years |
| 4.5.0 | Artistic-2.0 | 5 | 2017-03-24 - 23:41 | over 7 years |
| 4.4.4 | Artistic-2.0 | 5 | 2017-03-16 - 23:58 | over 7 years |
| 4.4.3 | Artistic-2.0 | 5 | 2017-03-16 - 01:20 | over 7 years |
| 4.4.2 | Artistic-2.0 | 5 | 2017-03-10 - 01:09 | over 7 years |