Skip to content

Packing does not respect root-level ignore files in workspaces

Moderate
darcyclarke published GHSA-hj9c-8jmm-8c52 Jun 1, 2022

Package

npm npm (npm)

Affected versions

>=7.9.0, < 8.11.0

Patched versions

8.11.0

Description

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

  • Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
  • Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

  1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
  2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
  3. If you find that there are files included you did not expect, you should:
    3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
    3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>)
    3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

Severity

Moderate

CVE ID

CVE-2022-29244

Weaknesses

Credits