UBUNTU-CVE-2022-29244
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 13 Jun 2022, 14:15
Last modified:20 May 2026, 16:08
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
13 Jun 2022, 14:15
Published
Vulnerability first disclosed
20 May 2026, 16:08
Last Modified
Vulnerability information updated
Description
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Systems
- ubuntu•npm
all | all | all | all | all | all | all
References (11)
- https://ubuntu.com/security/CVE-2022-29244
- https://github.com/nodejs/node/pull/43210
- https://github.com/nodejs/node/releases/tag/v18.3.0
- https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
- https://github.com/nodejs/node/releases/tag/v17.9.1
- https://github.com/npm/npm-packlist
- https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
- https://github.com/npm/cli/releases/tag/v8.11.0
- https://github.com/nodejs/node/releases/tag/v16.15.1
- https://www.cve.org/CVERecord?id=CVE-2022-29244