CVE-2022-29244 – This vulnerability in npm causes workspace oper... (How to Fix)

📋 TL;DR

This vulnerability in npm causes workspace operations to ignore .gitignore and .npmignore exclusion rules, potentially exposing sensitive files. Anyone who used npm pack or npm publish in workspaces with npm v7.9.0+ or v7.13.0+ may have unintentionally published private files to the npm registry.

💻 Affected Systems

Products:

npm CLI

Versions: npm v7.9.0 through v8.10.0 when using workspaces

Operating Systems: All platforms where npm runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who run npm pack or npm publish within npm workspaces or with workspace flags.

📦 What is this software?

Npm by Npmjs

View all CVEs affecting Npm →

Ontap Select Deploy Administration Utility by Netapp

View all CVEs affecting Ontap Select Deploy Administration Utility →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive credentials, API keys, configuration files, or proprietary source code are published to public npm registry, leading to data breaches, credential theft, or intellectual property loss.

🟠

Likely Case

Development environment files, test data, or internal configuration files are exposed, potentially revealing system architecture or development practices.

🟢

If Mitigated

No sensitive files are exposed due to proper file exclusion practices or limited workspace usage.

🌐 Internet-Facing: HIGH - Direct exposure of files to public npm registry with no authentication required for access.

🏢 Internal Only: MEDIUM - Internal npm registries may still expose sensitive files to unauthorized internal users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simply running npm pack/publish in vulnerable configuration triggers the issue.

This is a misconfiguration vulnerability rather than a traditional exploit - the user's own actions cause the exposure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: npm v8.11.0

Vendor Advisory: https://github.com/npm/cli/releases/tag/v8.11.0

Restart Required: No

Instructions:

1. Upgrade npm globally: npm i -g npm@latest
2. For Node.js installations, upgrade to v16.15.1, v17.19.1, or v18.3.0 which include patched npm v8.11.0
3. Verify upgrade with: npm --version

🔧 Temporary Workarounds

Avoid workspace packaging

all

Manually package projects outside of workspace mode to ensure .gitignore/.npmignore rules are respected.

cd /path/to/package && npm pack

Manual file verification

linux

Manually inspect tarball contents before publishing to ensure no sensitive files are included.

npm pack --dry-run
tar -tf package.tgz | grep -i sensitive

🧯 If You Can't Patch

Audit all published packages for exposed sensitive files and rotate any exposed credentials
Implement pre-publish hooks to validate package contents and block publishing if sensitive files are detected

🔍 How to Verify

Check if Vulnerable:

Check npm version: npm --version. If version is between 7.9.0 and 8.10.0 inclusive, and you use workspaces, you are vulnerable.

Check Version:

npm --version

Verify Fix Applied:

Verify npm version is 8.11.0 or higher: npm --version

📡 Detection & Monitoring

Log Indicators:

npm pack/publish operations in workspace contexts
Unexpected file inclusion in package tarballs

Network Indicators:

npm registry uploads containing files that should be excluded

SIEM Query:

process.name="npm" AND (process.args="pack" OR process.args="publish") AND process.args contains "workspace"

📊 Metadata

CVE ID: CVE-2022-29244

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: June 13, 2022

Last Updated: April 23, 2025

🔗 References

https://github.com/nodejs/node/pull/43210 Patch,Third Party Advisory
https://github.com/nodejs/node/releases/tag/v16.15.1 Release Notes,Third Party Advisory
https://github.com/nodejs/node/releases/tag/v17.9.1 Release Notes,Third Party Advisory
https://github.com/nodejs/node/releases/tag/v18.3.0 Release Notes,Third Party Advisory
https://github.com/npm/cli/releases/tag/v8.11.0 Release Notes,Third Party Advisory
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52 Third Party Advisory
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack Product,Third Party Advisory
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish Product,Third Party Advisory
https://github.com/npm/npm-packlist Product,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220722-0007/ Third Party Advisory
https://github.com/nodejs/node/pull/43210 Patch,Third Party Advisory
https://github.com/nodejs/node/releases/tag/v16.15.1 Release Notes,Third Party Advisory
https://github.com/nodejs/node/releases/tag/v17.9.1 Release Notes,Third Party Advisory
https://github.com/nodejs/node/releases/tag/v18.3.0 Release Notes,Third Party Advisory
https://github.com/npm/cli/releases/tag/v8.11.0 Release Notes,Third Party Advisory
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52 Third Party Advisory
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack Product,Third Party Advisory
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish Product,Third Party Advisory
https://github.com/npm/npm-packlist Product,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220722-0007/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29244, you might also want to check these: