Description
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
References (10)
Core 10
Core References
Third Party Advisory x_refsource_misc
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
Product, Third Party Advisory x_refsource_misc
https://github.com/npm/npm-packlist
Product, Third Party Advisory x_refsource_misc
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
Product, Third Party Advisory x_refsource_misc
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
Patch, Third Party Advisory x_refsource_misc
https://github.com/nodejs/node/pull/43210
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/npm/cli/releases/tag/v8.11.0
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/nodejs/node/releases/tag/v16.15.1
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/nodejs/node/releases/tag/v17.9.1
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/nodejs/node/releases/tag/v18.3.0
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220722-0007/
Scores
CVSS v3
7.5
EPSS
0.0085
EPSS Percentile
75.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (3)
netapp/ontap_select_deploy_administration_utility
npm/npm
7.9.0 - 8.11.0npm
npmjs/npm
7.9.0 - 8.11.0
Published
Jun 13, 2022
Tracked Since
Feb 18, 2026