{"id":"CVE-2022-29244","summary":"npm packing does not respect root-level ignore files in workspaces","details":"npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=\u003cname\u003e`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.","aliases":["GHSA-hj9c-8jmm-8c52"],"modified":"2026-04-10T04:47:27.395221Z","published":"2022-06-13T13:40:27Z","related":["ALSA-2022:6595","SUSE-SU-2022:3196-1","SUSE-SU-2022:3250-1","SUSE-SU-2022:3251-1","openSUSE-SU-2024:12280-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29244.json","cwe_ids":["CWE-200"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v16.15.1"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v17.9.1"},{"type":"WEB","url":"https://github.com/nodejs/node/releases/tag/v18.3.0"},{"type":"WEB","url":"https://github.com/npm/cli/releases/tag/v8.11.0"},{"type":"WEB","url":"https://github.com/npm/cli/tree/latest/workspaces/libnpmpack"},{"type":"WEB","url":"https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29244.json"},{"type":"ADVISORY","url":"https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29244"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220722-0007/"},{"type":"FIX","url":"https://github.com/nodejs/node/pull/43210"},{"type":"PACKAGE","url":"https://github.com/npm/npm-packlist"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"0794478e4938d8193516ab49926e03cb068febe6"},{"fixed":"0794478e4938d8193516ab49926e03cb068febe6"}],"database_specific":{"versions":[{"introduced":"7.9.0"},{"fixed":"7.9.0*"}]}},{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"0"},{"last_affected":"22f4a35db344472db1e83f9e3156907b58f5f527"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.11.0"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.6","v0.1.0","v0.1.1","v0.1.10","v0.1.100","v0.1.101","v0.1.102","v0.1.103","v0.1.104","v0.1.11","v0.1.12","v0.1.13","v0.1.14","v0.1.15","v0.1.16","v0.1.17","v0.1.18","v0.1.19","v0.1.2","v0.1.20","v0.1.21","v0.1.22","v0.1.23","v0.1.24","v0.1.25","v0.1.26","v0.1.27","v0.1.28","v0.1.29","v0.1.3","v0.1.30","v0.1.31","v0.1.32","v0.1.33","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.1.9","v0.1.92","v0.1.93","v0.1.94","v0.1.95","v0.1.96","v0.1.97","v0.1.98","v0.1.99","v0.2.0","v0.3.0","v0.3.1","v0.3.2","v0.3.4","v0.3.5","v0.3.6","v0.3.7","v0.3.8","v0.4.0","v0.5.0","v0.5.1","v0.5.10","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.5.5-rc1","v0.5.6","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.6.1","v0.7.0","v0.7.2","v0.7.3","v1.0.1","v1.0.1-release","v1.0.2","v1.0.2-release","v1.0.3","v1.0.4","v1.1.0","v1.2.0","v1.3.0","v1.4.1","v1.4.2","v1.4.3","v1.5.0","v1.5.1","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.7.0","v1.7.1","v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.2.0","v2.2.1","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.4.0","v2.5.0","v3.0.0","v8.0.0","v8.1.0","v8.1.1","v8.1.2","v8.1.3","v8.1.4","v8.10.0","v8.11.0","v8.2.0","v8.2.1","v8.3.0","v8.4.0","v8.5.0","v8.6.0","v8.7.0","v8.8.0","v8.8.1","v8.9.0","v8.9.1","v8.9.2","v8.9.3","v8.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29244.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/npm/cli","events":[{"introduced":"13843f489401d918e7f1a41ed1ff636fc3feb603"},{"fixed":"d60cfbcb43745705fd418fc2a7b8b427c6611911"}],"database_specific":{"versions":[{"introduced":"7.9.0"},{"fixed":"8.11.0"}]}}],"versions":["@npmcli/arborist-v5.0.0","@npmcli/arborist@4.2.1","@npmcli/arborist@4.3.1","@npmcli/arborist@5.0.0","arborist-v5.0.0","arborist-v5.0.1","arborist-v5.0.2","arborist-v5.0.3","arborist-v5.0.4","arborist-v5.0.5","arborist-v5.0.6","arborist-v5.1.0","arborist-v5.1.1","arborist-v5.2.0","libnpmaccess-v6.0.0","libnpmaccess-v6.0.1","libnpmaccess-v6.0.2","libnpmaccess-v6.0.3","libnpmaccess@6.0.0","libnpmdiff-v4.0.0","libnpmdiff-v4.0.1","libnpmdiff-v4.0.2","libnpmdiff-v4.0.3","libnpmdiff@4.0.0","libnpmexec-v4.0.0","libnpmexec-v4.0.1","libnpmexec-v4.0.2","libnpmexec-v4.0.3","libnpmexec-v4.0.4","libnpmexec-v4.0.5","libnpmexec@4.0.0","libnpmfund-v3.0.0","libnpmfund-v3.0.1","libnpmfund-v3.0.2","libnpmfund@3.0.0","libnpmhook-v8.0.0","libnpmhook-v8.0.1","libnpmhook-v8.0.2","libnpmhook-v8.0.3","libnpmhook@8.0.0","libnpmorg-v4.0.0","libnpmorg-v4.0.1","libnpmorg-v4.0.2","libnpmorg-v4.0.3","libnpmorg@4.0.0","libnpmpack-v4.0.0","libnpmpack-v4.0.1","libnpmpack-v4.0.2","libnpmpack-v4.0.3","libnpmpack-v4.1.0","libnpmpack@3.1.0","libnpmpack@4.0.0","libnpmpublish-v6.0.0","libnpmpublish-v6.0.1","libnpmpublish-v6.0.2","libnpmpublish-v6.0.3","libnpmpublish-v6.0.4","libnpmpublish@6.0.0","libnpmsearch-v5.0.0","libnpmsearch-v5.0.1","libnpmsearch-v5.0.2","libnpmsearch-v5.0.3","libnpmsearch@5.0.0","libnpmteam-v4.0.0","libnpmteam-v4.0.1","libnpmteam-v4.0.2","libnpmteam-v4.0.3","libnpmteam@4.0.0","libnpmversion-v3.0.0","libnpmversion-v3.0.1","libnpmversion-v3.0.2","libnpmversion-v3.0.3","libnpmversion-v3.0.4","libnpmversion@3.0.0","v7.10.0","v7.11.1","v7.11.2","v7.12.0","v7.12.1","v7.13.0","v7.14.0","v7.15.0","v7.15.1","v7.16.0","v7.17.0","v7.18.0","v7.18.1","v7.19.0","v7.19.1","v7.20.0","v7.20.1","v7.20.2","v7.20.3","v7.20.4","v7.20.5","v7.20.6","v7.21.0","v7.21.1","v7.22.0","v7.23.0","v7.24.0","v7.24.1","v7.24.2","v7.9.0","v8.0.0","v8.1.0","v8.1.1","v8.1.2","v8.1.3","v8.1.4","v8.10.0","v8.2.0","v8.3.0","v8.3.1","v8.3.2","v8.5.0","v8.5.1","v8.5.2","v8.5.3","v8.5.4","v8.5.5","v8.6.0","v8.7.0","v8.8.0","v8.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29244.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}