Vulnerability Description
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Npmjs | Npm | >= 7.9.0, < 8.11.0 |
| Netapp | Ontap Select Deploy Administration Utility | - |
Related Weaknesses (CWE)
References
- https://github.com/nodejs/node/pull/43210PatchThird Party Advisory
- https://github.com/nodejs/node/releases/tag/v16.15.1Release NotesThird Party Advisory
- https://github.com/nodejs/node/releases/tag/v17.9.1Release NotesThird Party Advisory
- https://github.com/nodejs/node/releases/tag/v18.3.0Release NotesThird Party Advisory
- https://github.com/npm/cli/releases/tag/v8.11.0Release NotesThird Party Advisory
- https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52Third Party Advisory
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpackProductThird Party Advisory
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpublishProductThird Party Advisory
- https://github.com/npm/npm-packlistProductThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220722-0007/Third Party Advisory
- https://github.com/nodejs/node/pull/43210PatchThird Party Advisory
- https://github.com/nodejs/node/releases/tag/v16.15.1Release NotesThird Party Advisory
- https://github.com/nodejs/node/releases/tag/v17.9.1Release NotesThird Party Advisory
- https://github.com/nodejs/node/releases/tag/v18.3.0Release NotesThird Party Advisory
- https://github.com/npm/cli/releases/tag/v8.11.0Release NotesThird Party Advisory
FAQ
What is CVE-2022-29244?
CVE-2022-29244 is a vulnerability with a CVSS score of 7.5 (HIGH). npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pac...
How severe is CVE-2022-29244?
CVE-2022-29244 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-29244?
Check the references section above for vendor advisories and patch information. Affected products include: Npmjs Npm, Netapp Ontap Select Deploy Administration Utility.