chore(deps): update dependency npm to 8.11.0 [security]
Created by: renovate[bot]
This PR contains the following updates:
Package | Change |
---|---|
npm | 8.10.0 -> 8.11.0 |
GitHub Vulnerability Alerts
CVE-2022-29244
Impact
npm pack
ignores root-level .gitignore
& .npmignore
file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces
, --workspace=<name>
). Anyone who has run npm pack
or npm publish
inside a workspace, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
- Upgrade to the latest, patched version of
npm
(v8.11.0
), run:npm i -g npm@latest
- Node.js versions
v16.15.1
,v17.19.1
&v18.3.0
include the patchedv8.11.0
version ofnpm
Steps to take to see if you're impacted
- Run
npm publish --dry-run
ornpm pack
with annpm
version>=7.9.0
&<8.11.0
inside the project's root directory using a workspace flag like:--workspaces
or--workspace=<name>
(ex.npm pack --workspace=foo
) - Check the output in your terminal which will list the package contents (note:
tar -tvf <package-on-disk>
also works) - If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex.
npm deprecate <pkg>[@​<version>] <message>
) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
References
Configuration
-
If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.