npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm. https://github.com/nodejs/node/pull/43210 https://github.com/nodejs/node/releases/tag/v18.3.0 https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52 https://github.com/npm/cli/tree/latest/workspaces/libnpmpack https://github.com/nodejs/node/releases/tag/v17.9.1 https://github.com/npm/npm-packlist https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish https://github.com/npm/cli/releases/tag/v8.11.0 https://github.com/nodejs/node/releases/tag/v16.15.1
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2098559] Affects: fedora-all [bug 2098563] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2098564] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2098560] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2098565] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2098566] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2098561] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2098567] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2098568]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-29244