chore(deps): update dependency npm to 8.11.0 [security]
Created by: renovate[bot]
This PR contains the following updates:
| Package | Change |
|---|---|
| npm | 8.9.0 -> 8.11.0 |
GitHub Vulnerability Alerts
CVE-2022-29244
Impact
npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
- Upgrade to the latest, patched version of
npm(v8.11.0), run:npm i -g npm@latest - Node.js versions
v16.15.1,v17.19.1&v18.3.0include the patchedv8.11.0version ofnpm
Steps to take to see if you're impacted
- Run
npm publish --dry-runornpm packwith annpmversion>=7.9.0&<8.11.0inside the project's root directory using a workspace flag like:--workspacesor--workspace=<name>(ex.npm pack --workspace=foo) - Check the output in your terminal which will list the package contents (note:
tar -tvf <package-on-disk>also works) - If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex.
npm deprecate <pkg>[@​<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
References
Configuration
-
If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.