Impact
npm pack
ignores root-level .gitignore
& .npmignore
file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces
, --workspace=<name>
). Anyone who has run npm pack
or npm publish
with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
- Upgrade to the latest, patched version of
npm
(v8.11.0
or greater), run: npm i -g npm@latest
- Node.js versions
v16.15.1
, v17.19.1
& v18.3.0
include the patched v8.11.0
version of npm
Steps to take to see if you're impacted
- Run
npm publish --dry-run
or npm pack
with an npm
version >=7.9.0
& <8.11.0
inside the project's root directory using a workspace flag like: --workspaces
or --workspace=<name>
(ex. npm pack --workspace=foo
)
- Check the output in your terminal which will list the package contents (note:
tar -tvf <package-on-disk>
also works)
- If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>
)
3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
References
Impact
npm pack
ignores root-level.gitignore
&.npmignore
file exclusion directives when run in a workspace or with a workspace flag (ie.--workspaces
,--workspace=<name>
). Anyone who has runnpm pack
ornpm publish
with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.Patch
npm
(v8.11.0
or greater), run:npm i -g npm@latest
v16.15.1
,v17.19.1
&v18.3.0
include the patchedv8.11.0
version ofnpm
Steps to take to see if you're impacted
npm publish --dry-run
ornpm pack
with annpm
version>=7.9.0
&<8.11.0
inside the project's root directory using a workspace flag like:--workspaces
or--workspace=<name>
(ex.npm pack --workspace=foo
)tar -tvf <package-on-disk>
also works)3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex.
npm deprecate <pkg>[@<version>] <message>
)3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
References
npm-packlist
libnpmpack
libnpmpublish