chore(deps): update dependency npm to v8.11.0 [security] #206
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.9.0->8.11.0GitHub Vulnerability Alerts
CVE-2022-29244
Impact
npm packignores root-level.gitignore&.npmignorefile exclusion directives when run in a workspace or with a workspace flag (ie.--workspaces,--workspace=<name>). Anyone who has runnpm packornpm publishwith workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.Patch
npm(v8.11.0or greater), run:npm i -g npm@latestv16.15.1,v17.19.1&v18.3.0include the patchedv8.11.0version ofnpmSteps to take to see if you're impacted
npm publish --dry-runornpm packwith annpmversion>=7.9.0&<8.11.0inside the project's root directory using a workspace flag like:--workspacesor--workspace=<name>(ex.npm pack --workspace=foo)tar -tvf <package-on-disk>also works)3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex.
npm deprecate <pkg>[@​<version>] <message>)3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
References
npm-packlistlibnpmpacklibnpmpublishRelease Notes
npm/cli (npm)
v8.11.0Compare Source
v8.11.0 (2022-05-25)
Features
8898710#4879 feat: deprecated set-script, birthday, --global, and --local (@fritzy)7307c8d#4940 feat(libnpmpack): bump pacote for better workspace awareness (@nlf)Bug Fixes
400c80f#4913 fix(ci): remove node_modules post-validation (@wraithgar)124df81#4910 fix: clean up npm cache tests (@wraithgar)ee3308afix: remove dead code from get-identity (@wraithgar)357b0af#4917 fix: pass prefix and workspaces to libnpmpack (@nlf)0f89e07#4935 fix: add global getter to npm class (@nlf)Documentation
83ed8d0#4922 docs: update roadmap link in readme (@OmriBarZik)ed054d4#4933 docs: fix broken link in changelog (@yonran)Dependencies
632ce87#4915 deps:cacache@16.1.07b2b77a#4915 deps:make-fetch-happen@10.1.5f3b0a24#4915 deps:pacote@13.4.10df3011#4915 deps:ssri@9.0.1dc38ab9#4919 deps:npm-packlist@5.0.4353e2f9#4940 deps:pacote@13.5.0 npm-packlist@5.1.0f4d4126#4941 deps:libnpmpack@4.1.0v8.10.0Compare Source
v8.10.0 (2022-05-11)
Features
911f55d#4864 feat: add --iwr alias for --include-workspace-root (@fritzy)bfb8bcc#4874 feat: add flag --omit-lockfile-registry-resolved (@fritzy) (Caleb ツ Everett)Bug Fixes
48d2db6#4862 fix: remove test coverage map (@wraithgar)38cf29a#4868 fix: cleanup star/unstar (@wraithgar)5baa4a7#4857 fix: consolidate bugs, docs, repo command logic (@wraithgar)5a50762#4875 fix(arborist): link deps lifecycle scripts (@ruyadorno)Dependencies
d58bf40#4856 deps:npm-packlist@5.0.386f443e#4872 deps:make-fetch-happen@10.1.3f9984e6#4880 deps:@npmcli/arborist@5.2.0ba59915#4881 deps:socks-proxy-agent@6.2.0c0806ba#4881 deps:http-proxy-agent@5.0.1cc7be6b#4881 deps:is-core-module@2.9.00432c7d#4881 deps:lru-cache@7.9.05778820#4881 deps:just-diff@5.0.2893dd00#4881 deps:ip@1.1.86ab85bd#4881 deps:builtins@5.0.1Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.