CVE-2022-29244

Name
CVE-2022-29244
Description
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/nodejs/node/pull/43210
MISC https://github.com/nodejs/node/releases/tag/v18.3.0
MISC https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
MISC https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
MISC https://github.com/nodejs/node/releases/tag/v17.9.1
MISC https://github.com/npm/npm-packlist
MISC https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
MISC https://github.com/npm/cli/releases/tag/v8.11.0
MISC https://github.com/nodejs/node/releases/tag/v16.15.1
Third Party Advisory https://security.netapp.com/advisory/ntap-20220722-0007/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:* npm >= 7.9.0 < 8.11.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
npm 3.15-main 8.1.3-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
npm 3.14-main 7.17.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable