Impact
npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
- Upgrade to the latest, patched version of
npm (v8.11.0 or greater), run: npm i -g npm@latest
- Node.js versions
v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm
Steps to take to see if you're impacted
- Run
npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
- Check the output in your terminal which will list the package contents (note:
tar -tvf <package-on-disk> also works)
- If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex.
npm deprecate <pkg>[@<version>] <message>)
3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
References
