Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29244: deps: upgrade npm to 8.11.0 by npm-cli-bot · Pull Request #43210 · nodejs/node

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

CVE
#windows#nodejs#js#git#ssl

Conversation

bengl pushed a commit that referenced this issue

May 30, 2022

PR-URL: #43210 Reviewed-By: Ruy Adorno [email protected] Reviewed-By: Tobias Nießen [email protected] Reviewed-By: Juan José Arboleda [email protected] Reviewed-By: Mohammed Keyvanzadeh [email protected] Reviewed-By: Beth Griggs [email protected] Reviewed-By: Luigi Pinca [email protected]

bengl added a commit that referenced this issue

May 31, 2022

Notable changes:

* deps: update undici to 5.3.0 (Node.js GitHub Bot) #43197 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112

PR-URL: TBD

bengl mentioned this pull request

May 31, 2022

bengl added a commit that referenced this issue

May 31, 2022

Notable changes:

* deps: update undici to 5.3.0 (Node.js GitHub Bot) #43197 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112

PR-URL: #43266

juanarbol pushed a commit that referenced this issue

May 31, 2022

PR-URL: #43210 Reviewed-By: Ruy Adorno [email protected] Reviewed-By: Tobias Nießen [email protected] Reviewed-By: Juan José Arboleda [email protected] Reviewed-By: Mohammed Keyvanzadeh [email protected] Reviewed-By: Beth Griggs [email protected] Reviewed-By: Luigi Pinca [email protected]

juanarbol pushed a commit that referenced this issue

Jun 1, 2022

PR-URL: #43210 Reviewed-By: Ruy Adorno [email protected] Reviewed-By: Tobias Nießen [email protected] Reviewed-By: Juan José Arboleda [email protected] Reviewed-By: Mohammed Keyvanzadeh [email protected] Reviewed-By: Beth Griggs [email protected] Reviewed-By: Luigi Pinca [email protected]

bengl added a commit that referenced this issue

Jun 1, 2022

Notable changes:

* deps: update undici to 5.3.0 (Node.js GitHub Bot) #43197 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [#42740](#42740) * This means 32-bit Windows binaries are back with this release.

PR-URL: #43266

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable changes

OpenSSL:

* add --openssl-legacy-provider option (Daniel Bevenius) #40478

deps:

* V8: cherry-pick 3ebf2052a1b2 (Liu Yu) #43147 * upgrade npm to 8.11.0 ([email protected]) #43210

Other notable changes:

* tools: disable trap handler for Windows cross-compiler (Michaël Zasso) #40488 * tools: update V8 gypfiles for 9.6 (Michaël Zasso) #40488

PR-URL: TDB

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable changes

OpenSSL:

* add --openssl-legacy-provider option (Daniel Bevenius) #40478

deps:

* V8: cherry-pick 3ebf2052a1b2 (Liu Yu) #43147 * upgrade npm to 8.11.0 ([email protected]) #43210

Other notable changes:

* tools: disable trap handler for Windows cross-compiler (Michaël Zasso) #40488 * tools: update V8 gypfiles for 9.6 (Michaël Zasso) #40488

PR-URL: #43272

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable changes

OpenSSL:

* add --openssl-legacy-provider option (Daniel Bevenius) #40478

deps:

* V8: cherry-pick 3ebf2052a1b2 (Liu Yu) #43147 * upgrade npm to 8.11.0 ([email protected]) #43210

Other notable changes:

* tools: disable trap handler for Windows cross-compiler (Michaël Zasso) #40488 * tools: update V8 gypfiles for 9.6 (Michaël Zasso) #40488

PR-URL: #43272

bengl added a commit that referenced this issue

Jun 1, 2022

Notable changes:

* deps: update undici to 5.3.0 (Node.js GitHub Bot) #43197 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [#42740](#42740) * This means 32-bit Windows binaries are back with this release.

PR-URL: #43266

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable Changes

* deps: * upgrade npm to 8.11.0 ([email protected]) #43210

* docs * add release key for RafaelGSS (Rafael Gonzaga) #43131 * add release key for Juan Arboleda (Juan José) #42961

PR-URL: TDB

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable Changes

* deps: * upgrade npm to 8.11.0 ([email protected]) #43210

* docs * add release key for RafaelGSS (Rafael Gonzaga) #43131 * add release key for Juan Arboleda (Juan José) #42961

PR-URL: TDB

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable Changes

* deps: * upgrade npm to 8.11.0 ([email protected]) #43210

* docs * add release key for RafaelGSS (Rafael Gonzaga) #43131 * add release key for Juan Arboleda (Juan José) #42961

PR-URL: TDB

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable Changes

* deps: * upgrade npm to 8.11.0 ([email protected]) #43210

* docs * add release key for RafaelGSS (Rafael Gonzaga) #43131 * add release key for Juan Arboleda (Juan José) #42961

PR-URL: #43272

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable changes:

  • deps: upgrade npm to 8.11.0 ([email protected]) #43210
  • doc:
    • add release key for RafaelGSS (Rafael Gonzaga) #43131
    • add release key for Juan Arboleda (Juan José) #42961

PR-URL: #43272

bengl added a commit that referenced this issue

Jun 1, 2022

Notable changes:

* deps: update undici to 5.4.0 (Node.js GitHub Bot) #43262 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [#42740](#42740) * This means 32-bit Windows binaries are back with this release.

PR-URL: #43266

juanarbol added a commit that referenced this issue

Jun 1, 2022

Notable changes:

  • deps: upgrade npm to 8.11.0 ([email protected]) #43210
  • doc:
    • add release key for RafaelGSS (Rafael Gonzaga) #43131
    • add release key for Juan Arboleda (Juan José) #42961

PR-URL: #43272

bengl added a commit that referenced this issue

Jun 2, 2022

Notable changes:

* deps: update undici to 5.4.0 (Node.js GitHub Bot) #43262 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) #42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * deps: upgrade npm to 8.11.0 (npm team) #43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) #43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) #42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) #42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) #41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) #43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [#42740](#42740) * This means 32-bit Windows binaries are back with this release.

PR-URL: #43266

italojs pushed a commit to italojs/node that referenced this issue

Jun 6, 2022

italojs pushed a commit to italojs/node that referenced this issue

Jun 6, 2022

Notable changes:

* deps: update undici to 5.4.0 (Node.js GitHub Bot) nodejs#43262 * (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) nodejs#42675 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) nodejs#41397 * deps: upgrade npm to 8.11.0 (npm team) nodejs#43210 * deps: patch V8 to 10.2.154.4 (Michaël Zasso) nodejs#43067 * (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) nodejs#42740 * (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) nodejs#42601 * (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) nodejs#41397 * (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) nodejs#43112 * (SEMVER-MINOR) Revert “build: make x86 Windows support temporarily experimental” (Michaël Zasso) [nodejs#42740](nodejs#42740) * This means 32-bit Windows binaries are back with this release.

PR-URL: nodejs#43266

Related news

Red Hat Security Advisory 2022-6595-01

Red Hat Security Advisory 2022-6595-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

RHSA-2022:6595: Red Hat Security Advisory: nodejs and nodejs-nodemon security and bug fix update

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7788: nodejs-ini: Prototype pollution via malicious INI file * CVE-2020-28469: nodejs-glob-parent: Regular expression denial of service * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2021-33502: nodejs-normalize-url: ReDoS for data URLs * CVE-2022-29244: nodejs: npm pac...

GHSA-hj9c-8jmm-8c52: Packing does not respect root-level ignore files in workspaces

### Impact `npm pack` ignores root-level `.gitignore` & `.npmignore` file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of [v7.9.0](https://github.com/npm/cli/releases/tag/v7.9.0) & [v7.13.0](https://github.com/npm/cli/releases/tag/v7.13.0) respectively, may be affected and have published files into the npm registry they did not intend to include. ### Patch - Upgrade to the latest, patched version of `npm` ([`v8.11.0`](https://github.com/npm/cli/releases/tag/v8.11.0)), run: `npm i -g npm@latest` - Node.js versions [`v16.15.1`](https://github.com/nodejs/node/releases/tag/v16.15.1), [`v17.19.1`](https://github.com/nodejs/node/releases/tag/v17.9.1) & [`v18.3.0`](https://github.com/nodejs/node/releases/tag/v18.3.0) include the patched `v8.11.0` version of `npm` #### Steps to take to see if you're impacted 1. Run `npm publish --dry-run` or `npm pack` wi...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907