Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hj9c-8jmm-8c52: Packing does not respect root-level ignore files in workspaces

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

  • Upgrade to the latest, patched version of npm (v8.11.0), run: npm i -g npm@latest
  • Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you’re impacted

  1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project’s root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
  2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
  3. If you find that there are files included you did not expect, you should: 3.1. Create & publish a new release excluding those files (ref. “Keeping files out of your Package”) 3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

ghsa
#nodejs#js#git

Packing does not respect root-level ignore files in workspaces

Moderate severity GitHub Reviewed Published Jun 2, 2022 in npm/cli • Updated Jun 2, 2022

Package

npm npm (npm )

Affected versions

>= 7.9.0, < 8.11.0

Patched versions

8.11.0

Description

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

  • Upgrade to the latest, patched version of npm (v8.11.0), run: npm i -g npm@latest
  • Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you’re impacted

  1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project’s root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
  2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
  3. If you find that there are files included you did not expect, you should:
    3.1. Create & publish a new release excluding those files (ref. “Keeping files out of your Package”)
    3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>)
    3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

  • CVE-2022-29244
  • npm-packlist
  • libnpmpack
  • libnpmpublish

References

  • GHSA-hj9c-8jmm-8c52
  • https://github.com/nodejs/node/releases/tag/v16.15.1
  • https://github.com/nodejs/node/releases/tag/v17.9.1
  • https://github.com/nodejs/node/releases/tag/v18.3.0
  • https://github.com/npm/cli/releases/tag/v8.11.0
  • https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
  • https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
  • https://github.com/npm/npm-packlist

darcyclarke published the maintainer security advisory

Jun 1, 2022

Severity

Moderate

Weaknesses

CWE-200

CVE ID

CVE-2022-29244

GHSA ID

GHSA-hj9c-8jmm-8c52

Source code

npm/cli/

Credits

  • bnb

Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.

Related news

Red Hat Security Advisory 2022-6595-01

Red Hat Security Advisory 2022-6595-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

RHSA-2022:6595: Red Hat Security Advisory: nodejs and nodejs-nodemon security and bug fix update

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7788: nodejs-ini: Prototype pollution via malicious INI file * CVE-2020-28469: nodejs-glob-parent: Regular expression denial of service * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2021-33502: nodejs-normalize-url: ReDoS for data URLs * CVE-2022-29244: nodejs: npm pac...

CVE-2022-29244: deps: upgrade npm to 8.11.0 by npm-cli-bot · Pull Request #43210 · nodejs/node

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.