Skip to content

Packing does not respect root-level ignore files in workspaces

Moderate
darcyclarke published GHSA-hj9c-8jmm-8c52 Jun 1, 2022

Package

npm npm (npm)

Affected versions

>=7.9.0, < 8.11.0

Patched versions

8.11.0

Description

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

  • Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
  • Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

  1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
  2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
  3. If you find that there are files included you did not expect, you should:
    3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
    3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>)
    3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

Severity

Moderate

CVE ID

CVE-2022-29244

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Credits