Headline
CVE-2022-29244: deps: upgrade npm to 8.11.0 by npm-cli-bot · Pull Request #43210 · nodejs/node
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
Conversation
bengl pushed a commit that referenced this issue
May 30, 2022
PR-URL: #43210 Reviewed-By: Ruy Adorno [email protected] Reviewed-By: Tobias Nießen [email protected] Reviewed-By: Juan José Arboleda [email protected] Reviewed-By: Mohammed Keyvanzadeh [email protected] Reviewed-By: Beth Griggs [email protected] Reviewed-By: Luigi Pinca [email protected]
bengl added a commit that referenced this issue
May 31, 2022
Notable changes:
* deps: update undici to 5.3.0 (Node.js GitHub Bot) #43197 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112
PR-URL: TBD
bengl mentioned this pull request
May 31, 2022
bengl added a commit that referenced this issue
May 31, 2022
Notable changes:
* deps: update undici to 5.3.0 (Node.js GitHub Bot) #43197 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112
PR-URL: #43266
juanarbol pushed a commit that referenced this issue
May 31, 2022
PR-URL: #43210 Reviewed-By: Ruy Adorno [email protected] Reviewed-By: Tobias Nießen [email protected] Reviewed-By: Juan José Arboleda [email protected] Reviewed-By: Mohammed Keyvanzadeh [email protected] Reviewed-By: Beth Griggs [email protected] Reviewed-By: Luigi Pinca [email protected]
juanarbol pushed a commit that referenced this issue
Jun 1, 2022
PR-URL: #43210 Reviewed-By: Ruy Adorno [email protected] Reviewed-By: Tobias Nießen [email protected] Reviewed-By: Juan José Arboleda [email protected] Reviewed-By: Mohammed Keyvanzadeh [email protected] Reviewed-By: Beth Griggs [email protected] Reviewed-By: Luigi Pinca [email protected]
bengl added a commit that referenced this issue
Jun 1, 2022
Notable changes:
* deps: update undici to 5.3.0 (Node.js GitHub Bot) #43197 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [#42740](#42740) * This means 32-bit Windows binaries are back with this release.
PR-URL: #43266
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable changes
OpenSSL:
* add --openssl-legacy-provider option (Daniel Bevenius) #40478
deps:
* V8: cherry-pick 3ebf2052a1b2 (Liu Yu) #43147 * upgrade npm to 8.11.0 ([email protected]) #43210
Other notable changes:
* tools: disable trap handler for Windows cross-compiler (Michaël Zasso) #40488 * tools: update V8 gypfiles for 9.6 (Michaël Zasso) #40488
PR-URL: TDB
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable changes
OpenSSL:
* add --openssl-legacy-provider option (Daniel Bevenius) #40478
deps:
* V8: cherry-pick 3ebf2052a1b2 (Liu Yu) #43147 * upgrade npm to 8.11.0 ([email protected]) #43210
Other notable changes:
* tools: disable trap handler for Windows cross-compiler (Michaël Zasso) #40488 * tools: update V8 gypfiles for 9.6 (Michaël Zasso) #40488
PR-URL: #43272
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable changes
OpenSSL:
* add --openssl-legacy-provider option (Daniel Bevenius) #40478
deps:
* V8: cherry-pick 3ebf2052a1b2 (Liu Yu) #43147 * upgrade npm to 8.11.0 ([email protected]) #43210
Other notable changes:
* tools: disable trap handler for Windows cross-compiler (Michaël Zasso) #40488 * tools: update V8 gypfiles for 9.6 (Michaël Zasso) #40488
PR-URL: #43272
bengl added a commit that referenced this issue
Jun 1, 2022
Notable changes:
* deps: update undici to 5.3.0 (Node.js GitHub Bot) #43197 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [#42740](#42740) * This means 32-bit Windows binaries are back with this release.
PR-URL: #43266
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable Changes
* deps: * upgrade npm to 8.11.0 ([email protected]) #43210
* docs * add release key for RafaelGSS (Rafael Gonzaga) #43131 * add release key for Juan Arboleda (Juan José) #42961
PR-URL: TDB
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable Changes
* deps: * upgrade npm to 8.11.0 ([email protected]) #43210
* docs * add release key for RafaelGSS (Rafael Gonzaga) #43131 * add release key for Juan Arboleda (Juan José) #42961
PR-URL: TDB
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable Changes
* deps: * upgrade npm to 8.11.0 ([email protected]) #43210
* docs * add release key for RafaelGSS (Rafael Gonzaga) #43131 * add release key for Juan Arboleda (Juan José) #42961
PR-URL: TDB
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable Changes
* deps: * upgrade npm to 8.11.0 ([email protected]) #43210
* docs * add release key for RafaelGSS (Rafael Gonzaga) #43131 * add release key for Juan Arboleda (Juan José) #42961
PR-URL: #43272
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable changes:
- deps: upgrade npm to 8.11.0 ([email protected]) #43210
- doc:
- add release key for RafaelGSS (Rafael Gonzaga) #43131
- add release key for Juan Arboleda (Juan José) #42961
PR-URL: #43272
bengl added a commit that referenced this issue
Jun 1, 2022
Notable changes:
* deps: update undici to 5.4.0 (Node.js GitHub Bot) #43262 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [#42740](#42740) * This means 32-bit Windows binaries are back with this release.
PR-URL: #43266
juanarbol added a commit that referenced this issue
Jun 1, 2022
Notable changes:
- deps: upgrade npm to 8.11.0 ([email protected]) #43210
- doc:
- add release key for RafaelGSS (Rafael Gonzaga) #43131
- add release key for Juan Arboleda (Juan José) #42961
PR-URL: #43272
bengl added a commit that referenced this issue
Jun 2, 2022
Notable changes:
* deps: update undici to 5.4.0 (Node.js GitHub Bot) #43262 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [#42740](#42740) * This means 32-bit Windows binaries are back with this release.
PR-URL: #43266
italojs pushed a commit to italojs/node that referenced this issue
Jun 6, 2022
italojs pushed a commit to italojs/node that referenced this issue
Jun 6, 2022
Notable changes:
* deps: update undici to 5.4.0 (Node.js GitHub Bot) nodejs#43262 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) nodejs#42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) nodejs#41397 * deps: upgrade npm to 8.11.0 (npm team) nodejs#43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) nodejs#43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) nodejs#42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) nodejs#42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) nodejs#41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) nodejs#43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [nodejs#42740](nodejs#42740) * This means 32-bit Windows binaries are back with this release.
PR-URL: nodejs#43266
Related news
Red Hat Security Advisory 2022-6595-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7788: nodejs-ini: Prototype pollution via malicious INI file * CVE-2020-28469: nodejs-glob-parent: Regular expression denial of service * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2021-33502: nodejs-normalize-url: ReDoS for data URLs * CVE-2022-29244: nodejs: npm pac...
### Impact `npm pack` ignores root-level `.gitignore` & `.npmignore` file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of [v7.9.0](https://github.com/npm/cli/releases/tag/v7.9.0) & [v7.13.0](https://github.com/npm/cli/releases/tag/v7.13.0) respectively, may be affected and have published files into the npm registry they did not intend to include. ### Patch - Upgrade to the latest, patched version of `npm` ([`v8.11.0`](https://github.com/npm/cli/releases/tag/v8.11.0)), run: `npm i -g npm@latest` - Node.js versions [`v16.15.1`](https://github.com/nodejs/node/releases/tag/v16.15.1), [`v17.19.1`](https://github.com/nodejs/node/releases/tag/v17.9.1) & [`v18.3.0`](https://github.com/nodejs/node/releases/tag/v18.3.0) include the patched `v8.11.0` version of `npm` #### Steps to take to see if you're impacted 1. Run `npm publish --dry-run` or `npm pack` wi...