{"id":"CVE-2022-29244","summary":"npm packing does not respect root-level ignore files in workspaces","details":"npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=\u003cname\u003e`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.","aliases":["GHSA-hj9c-8jmm-8c52"],"modified":"2026-05-28T04:07:56.362390882Z","published":"2022-06-13T13:40:27Z","related":["ALSA-2022:6595","SUSE-SU-2022:3196-1","SUSE-SU-2022:3250-1","SUSE-SU-2022:3251-1","openSUSE-SU-2024:12280-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29244.json","cwe_ids":["CWE-200"]},"references":[{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v16.15.1"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v17.9.1"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v18.3.0"},{"type":"WEB","url":"https://github.com/npm/cli/releases/tag/v8.11.0"},{"type":"WEB","url":"https://github.com/npm/cli/tree/latest/workspaces/libnpmpack"},{"type":"WEB","url":"https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29244.json"},{"type":"ADVISORY","url":"https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29244"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220722-0007/"},{"type":"FIX","url":"https://github.com/nodejs/node/pull/43210"},{"type":"PACKAGE","url":"https://github.com/npm/npm-packlist"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"0794478e4938d8193516ab49926e03cb068febe6"},{"fixed":"22f4a35db344472db1e83f9e3156907b58f5f527"},{"fixed":"177064d0aee4a331eef93e3667963c02f0b94333"},{"fixed":"cd98cfbdddfa95b75706674ddc56011c1c3fbfe3"},{"fixed":"49362efd5b39f31a14260612422109e130068d08"}],"database_specific":{"extracted_events":[{"introduced":"7.9.0"},{"fixed":"8.11.0"}],"cpe":"cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*","source":["CPE_RANGE","REFERENCES"]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29244.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/npm/cli","events":[{"introduced":"13843f489401d918e7f1a41ed1ff636fc3feb603"},{"fixed":"d60cfbcb43745705fd418fc2a7b8b427c6611911"}],"database_specific":{"extracted_events":[{"introduced":"7.9.0"},{"fixed":"8.11.0"}],"cpe":"cpe:2.3:a:npmjs:npm:*:*:*:*:*:*:*:*","source":["CPE_RANGE","REFERENCES"]}}],"versions":["v7.24.2","libnpmpack-v4.1.0","v8.10.0","arborist-v5.2.0","v8.9.0","v8.8.0","libnpmexec-v4.0.5","libnpmversion-v3.0.4","libnpmpublish-v6.0.4","arborist-v5.1.1","libnpmexec-v4.0.4","arborist-v5.1.0","v8.7.0","arborist-v5.0.6","libnpmversion-v3.0.3","libnpmpublish-v6.0.3","libnpmpack-v4.0.3","libnpmteam-v4.0.3","libnpmsearch-v5.0.3","libnpmexec-v4.0.3","libnpmhook-v8.0.3","libnpmversion-v3.0.2","libnpmfund-v3.0.2","libnpmaccess-v6.0.3","libnpmorg-v4.0.3","libnpmdiff-v4.0.3","arborist-v5.0.5","v8.6.0","arborist-v5.0.4","v8.5.5","libnpmexec-v4.0.2","libnpmdiff-v4.0.2","arborist-v5.0.3","libnpmpublish-v6.0.2","libnpmhook-v8.0.2","libnpmorg-v4.0.2","libnpmsearch-v5.0.2","libnpmaccess-v6.0.2","libnpmteam-v4.0.2","libnpmpack-v4.0.2","v8.5.4","arborist-v5.0.2","libnpmpack-v4.0.1","libnpmversion-v3.0.1","libnpmdiff-v4.0.1","libnpmorg-v4.0.1","libnpmteam-v4.0.1","libnpmaccess-v6.0.1","libnpmexec-v4.0.1","libnpmsearch-v5.0.1","libnpmhook-v8.0.1","libnpmpublish-v6.0.1","arborist-v5.0.1","libnpmfund-v3.0.1","v8.5.3","v8.5.2","libnpmversion@3.0.0","libnpmversion-v3.0.0","libnpmteam@4.0.0","libnpmteam-v4.0.0","libnpmsearch@5.0.0","libnpmsearch-v5.0.0","libnpmpublish@6.0.0","libnpmpublish-v6.0.0","libnpmpack@4.0.0","libnpmpack-v4.0.0","libnpmorg@4.0.0","libnpmorg-v4.0.0","libnpmhook@8.0.0","libnpmhook-v8.0.0","libnpmfund@3.0.0","libnpmfund-v3.0.0","libnpmexec@4.0.0","libnpmexec-v4.0.0","libnpmdiff@4.0.0","libnpmdiff-v4.0.0","libnpmaccess@6.0.0","libnpmaccess-v6.0.0","arborist-v5.0.0","@npmcli/arborist@5.0.0","@npmcli/arborist-v5.0.0","v8.5.1","v8.5.0","libnpmpack@3.1.0","@npmcli/arborist@4.3.1","v8.3.2","@npmcli/arborist@4.2.1","v8.3.1","v8.3.0","v8.2.0","v8.1.4","v8.1.3","v8.1.2","v8.1.1","v8.1.0","v8.0.0","v7.24.1","v7.24.0","v7.23.0","v7.22.0","v7.21.1","v7.21.0","v7.20.6","v7.20.5","v7.20.4","v7.20.3","v7.20.2","v7.20.1","v7.20.0","v7.19.1","v7.19.0","v7.18.1","v7.18.0","v7.17.0","v7.16.0","v7.15.1","v7.15.0","v7.14.0","v7.13.0","v7.12.1","v7.12.0","v7.11.2","v7.11.1","v7.10.0","v7.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29244.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}