Headline
GHSA-hj9c-8jmm-8c52: Packing does not respect root-level ignore files in workspaces
Impact
npm pack
ignores root-level .gitignore
& .npmignore
file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces
, --workspace=<name>
). Anyone who has run npm pack
or npm publish
inside a workspace, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
- Upgrade to the latest, patched version of
npm
(v8.11.0
), run:npm i -g npm@latest
- Node.js versions
v16.15.1
,v17.19.1
&v18.3.0
include the patchedv8.11.0
version ofnpm
Steps to take to see if you’re impacted
- Run
npm publish --dry-run
ornpm pack
with annpm
version>=7.9.0
&<8.11.0
inside the project’s root directory using a workspace flag like:--workspaces
or--workspace=<name>
(ex.npm pack --workspace=foo
) - Check the output in your terminal which will list the package contents (note:
tar -tvf <package-on-disk>
also works) - If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. “Keeping files out of your Package”)
3.2. Deprecate the old package (ex.
npm deprecate <pkg>[@<version>] <message>
) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
References
Packing does not respect root-level ignore files in workspaces
Moderate severity GitHub Reviewed Published Jun 2, 2022 in npm/cli • Updated Jun 2, 2022
Package
npm npm (npm )
Affected versions
>= 7.9.0, < 8.11.0
Patched versions
8.11.0
Description
Impact
npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
- Upgrade to the latest, patched version of npm (v8.11.0), run: npm i -g npm@latest
- Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm
Steps to take to see if you’re impacted
- Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project’s root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
- Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
- If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. “Keeping files out of your Package”)
3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>)
3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
References
- CVE-2022-29244
- npm-packlist
- libnpmpack
- libnpmpublish
References
- GHSA-hj9c-8jmm-8c52
- https://github.com/nodejs/node/releases/tag/v16.15.1
- https://github.com/nodejs/node/releases/tag/v17.9.1
- https://github.com/nodejs/node/releases/tag/v18.3.0
- https://github.com/npm/cli/releases/tag/v8.11.0
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
- https://github.com/npm/npm-packlist
darcyclarke published the maintainer security advisory
Jun 1, 2022
Severity
Moderate
Weaknesses
CWE-200
CVE ID
CVE-2022-29244
GHSA ID
GHSA-hj9c-8jmm-8c52
Source code
npm/cli/
Credits
- bnb
Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.
Related news
Red Hat Security Advisory 2022-6595-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7788: nodejs-ini: Prototype pollution via malicious INI file * CVE-2020-28469: nodejs-glob-parent: Regular expression denial of service * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2021-33502: nodejs-normalize-url: ReDoS for data URLs * CVE-2022-29244: nodejs: npm pac...
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.