[npm] Packing does not respect root-level ignore files in workspaces

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

• Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
• Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you’re impacted

1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project’s root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
3. If you find that there are files included you did not expect, you should:

3.1. Create & publish a new release excluding those files (ref. “Keeping files out of your Package”)
3.2. Deprecate the old package (ex. npm deprecate <pkg>[@<version>] <message>)
3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

• CVE-2022-29244

• npm-packlist

• libnpmpack

• libnpmpublish

  References

• https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52

• https://github.com/nodejs/node/releases/tag/v16.15.1

• https://github.com/nodejs/node/releases/tag/v17.9.1

• https://github.com/nodejs/node/releases/tag/v18.3.0

• https://github.com/npm/cli/releases/tag/v8.11.0

• https://github.com/npm/cli/tree/latest/workspaces/libnpmpack

• https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish

• https://github.com/npm/npm-packlist

• https://github.com/advisories/GHSA-hj9c-8jmm-8c52