Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. npm
  4. ›
  5. GMS-2022-1719

GMS-2022-1719: Duplicate of ./npm/npm/CVE-2022-29244.yml

June 2, 2022

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

References

  • github.com/advisories/GHSA-hj9c-8jmm-8c52
  • github.com/nodejs/node/releases/tag/v16.15.1
  • github.com/nodejs/node/releases/tag/v17.9.1
  • github.com/nodejs/node/releases/tag/v18.3.0
  • github.com/npm/cli/releases/tag/v8.11.0
  • github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
  • github.com/npm/cli/tree/latest/workspaces/libnpmpack
  • github.com/npm/cli/tree/latest/workspaces/libnpmpublish
  • github.com/npm/npm-packlist

Code Behaviors & Features

Detect and mitigate GMS-2022-1719 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 7.9.0 before 8.11.0

Fixed versions

  • 8.11.0

Solution

Upgrade to version 8.11.0 or above.

Source file

npm/npm/GMS-2022-1719.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:14:35 +0000.