QwikSec

Security Database

CVE

CWE

Training

CVE-2022-29244

Published: Jun 13, 2022

Modified: Apr 23, 2025

PUBLISHED

Description

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Vendor	Product	Versions
npm	npm	affected `7.9.0 - < 7.9.0*` affected `8.11.0 - < 8.11.0`

Weaknesses (CWE)

References

https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52

x_refsource_MISC

https://github.com/npm/npm-packlist

x_refsource_MISC

https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish

x_refsource_MISC

https://github.com/npm/cli/tree/latest/workspaces/libnpmpack

x_refsource_MISC

https://github.com/nodejs/node/pull/43210

x_refsource_MISC

https://github.com/npm/cli/releases/tag/v8.11.0

x_refsource_MISC

https://github.com/nodejs/node/releases/tag/v16.15.1

x_refsource_MISC

https://github.com/nodejs/node/releases/tag/v17.9.1

x_refsource_MISC

https://github.com/nodejs/node/releases/tag/v18.3.0

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220722-0007/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.