{ "schema_version": "1.4.0", "id": "GHSA-hj9c-8jmm-8c52", "modified": "2022-06-29T21:50:23Z", "published": "2022-06-02T15:37:27Z", "aliases": [ "CVE-2022-29244" ], "summary": "Packing does not respect root-level ignore files in workspaces", "details": "### Impact\n`npm pack` ignores root-level `.gitignore` & `.npmignore` file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` with workspaces, as of [v7.9.0](https://github.com/npm/cli/releases/tag/v7.9.0) & [v7.13.0](https://github.com/npm/cli/releases/tag/v7.13.0) respectively, may be affected and have published files into the npm registry they did not intend to include.\n\n### Patch\n- Upgrade to the latest, patched version of `npm` ([`v8.11.0`](https://github.com/npm/cli/releases/tag/v8.11.0) or greater), run: `npm i -g npm@latest`\n- Node.js versions [`v16.15.1`](https://github.com/nodejs/node/releases/tag/v16.15.1), [`v17.19.1`](https://github.com/nodejs/node/releases/tag/v17.9.1) & [`v18.3.0`](https://github.com/nodejs/node/releases/tag/v18.3.0) include the patched `v8.11.0` version of `npm`\n\n#### Steps to take to see if you're impacted\n1. Run `npm publish --dry-run` or `npm pack` with an `npm` version `>=7.9.0` & `<8.11.0` inside the project's root directory using a workspace flag like: `--workspaces` or `--workspace=` (ex. `npm pack --workspace=foo`)\n2. Check the output in your terminal which will list the package contents (note: `tar -tvf ` also works)\n3. If you find that there are files included you did not expect, you should:\n 3.1. Create & publish a new release excluding those files (ref. [\"Keeping files out of your Package\"](https://docs.npmjs.com/cli/v8/using-npm/developers#keeping-files-out-of-your-package))\n 3.2. Deprecate the old package (ex. `npm deprecate [@] `)\n 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed\n### References\n- [CVE-2022-29244](https://nvd.nist.gov/vuln/detail/CVE-2022-29244)\n- [`npm-packlist`](https://github.com/npm/npm-packlist)\n- [`libnpmpack`](https://github.com/npm/cli/tree/latest/workspaces/libnpmpack)\n- [`libnpmpublish`](https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish)", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "npm" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.9.0" }, { "fixed": "8.11.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29244" }, { "type": "WEB", "url": "https://github.com/nodejs/node/pull/43210" }, { "type": "WEB", "url": "https://github.com/nodejs/node/releases/tag/v16.15.1" }, { "type": "WEB", "url": "https://github.com/nodejs/node/releases/tag/v17.9.1" }, { "type": "WEB", "url": "https://github.com/nodejs/node/releases/tag/v18.3.0" }, { "type": "WEB", "url": "https://github.com/npm/cli" }, { "type": "WEB", "url": "https://github.com/npm/cli/releases/tag/v8.11.0" }, { "type": "WEB", "url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpack" }, { "type": "WEB", "url": "https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish" }, { "type": "WEB", "url": "https://github.com/npm/npm-packlist" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220722-0007" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-06-02T15:37:27Z", "nvd_published_at": "2022-06-13T14:15:00Z" } }