In this long read, we'll break down CVE-2022-29244—a vulnerability that made its way into npm workspaces and could have accidentally exposed files you never meant to publish. Whether you're a Node.js developer or just curious about software security, this article will explain what happened, who's affected, how it works, and what you need to do about it.
What Is CVE-2022-29244?
CVE-2022-29244 is a security bug affecting npm, one of the most popular package managers for JavaScript and Node.js projects. Specifically, it impacts how npm pack and npm publish handle file exclusion rules (.gitignore and .npmignore) _inside workspaces_.
The Simple Version
If you used npm pack or npm publish in a workspace—by running commands with the --workspaces flag, or inside a workspace directory—npm ignored the usual rules about which files should not be published. Files that were supposed to be excluded by .gitignore or .npmignore at the root level were wrongly included in your package tarballs. Some of these files might be secrets, credentials, or just stuff you never meant to share.
npm publish: Issue started in v7.13.
Anyone using these versions (or later, before the fix) who published from workspaces could have been affected.
Your project contains a root-level .gitignore or .npmignore file.
Projects built with tools like Lerna, Yarn workspaces, or standard npm workspaces are all potential victims, especially if you followed best practices and kept secrets excluded at the root.
How Does the Vulnerability Work?
Normally, npm uses .gitignore and .npmignore files to figure out which files should stay out of your published package.
Example Directory Structure
my-monorepo/
├── .gitignore
├── .npmignore
├── package.json
└── packages/
├── a/
│ ├── index.js
│ └── secret.env
└── b/
├── index.js
└── password.txt
.gitignore at Root
# Secrets
*.env
password.txt
.npmignore at Root
*.env
password.txt
What Should Happen:
npm pack should read ignore rules from .gitignore and .npmignore at the root, _excluding_ secret.env and password.txt anywhere in the directory tree.
What Did Happen:
When running npm pack or npm publish in a workspace, these tools _ignored_ the root-level ignore files. Those secrets (and more) could end up in your tarball and get published to the npm registry.
Here’s how you could accidentally publish sensitive files
cd my-monorepo/packages/a
npm pack
# or, from root:
npm pack --workspace=a
# Tarball now contains secret.env!
tar -tf package-a-1...tgz
If you open the tarball, you'll notice secret.env inside, even though it's listed in the root .npmignore!
How Bad Is This?
Worst-case, you could accidentally publish secrets, credentials, or proprietary code to the public npm registry. Attackers might download your package and grab those files.
How to Fix It
Upgrade npm:
The issue is fixed in npm v8.11. and later. Node.js versions v16.15.1, v17.19.1, and v18.3. (or later) include the patched npm.
Upgrade Steps
npm i -g npm@latest
> Double-check your npm -v is at least 8.11..
> If using Node.js, update to v16.15.1, v17.19.1, v18.3., or newer.
After upgrading npm, run npm pack or npm publish as normal. Exclusion rules work as intended again.
If you think you published secrets, unpublish your affected packages if possible
npm unpublish <package-name>@<version>
Rotate any credentials or secrets that may have leaked.
GitHub Security Advisory:
CVE-2022-29244: npm pack ignores .gitignore and .npmignore file exclusion directives in workspaces
Node.js Security Release:
Node.js Security Release Summary
npm Release Notes:
Conclusion
CVE-2022-29244 is a tough lesson in how complex workspaces and build tools can lead to accidental exposure of sensitive files. If you used npm workspaces before v8.11. to pack or publish packages, check your published files, rotate secrets if needed, and _upgrade right away_.
Don’t let a small mistake become an expensive data leak—keep your tools up to date and always double-check what goes into your published packages.
Timeline
Published on: 06/13/2022 14:15:00 UTC
Last modified on: 07/22/2022 19:15:00 UTC