CVE-2022-29244

CVE-2022-29244: npm packing does not respect root-level ignore files in workspaces

Vendor Npm

Product npm

Weakness CWE-200 · Info exposure

Published June 13, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Key dates

02Disclosure timeline

June 13, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-29244 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2022-29244

CWE CWE-200

Affected versions

Vendor Npm

Product npm

Affected ≥ 7.9.0 and < 7.9.0*

Vendor Npm

Product npm

Affected ≥ 8.11.0 and < 8.11.0

CVE-2022-29244: npm packing does not respect root-level ignore files in workspaces

01Description

02Disclosure timeline

03References

04Related CVE