chore(deps): update npm to v8 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
npm (source)	>=8.14.0 -> 8.11.0

GitHub Vulnerability Alerts

CVE-2022-29244

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

• Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
• Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
3. If you find that there are files included you did not expect, you should:
   3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
   3.2. Deprecate the old package (ex. npm deprecate <pkg>[@&#8203;<version>] <message>)
   3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

• CVE-2022-29244
• npm-packlist
• libnpmpack
• libnpmpublish

---

Release Notes

npm/cli (npm)

v8.11.0

Compare Source

v8.11.0 (2022-05-25)

Features

• 8898710 #​4879 feat: deprecated set-script, birthday, --global, and --local (@​fritzy)
• 7307c8d #​4940 feat(libnpmpack): bump pacote for better workspace awareness (@​nlf)

Bug Fixes

• 400c80f #​4913 fix(ci): remove node_modules post-validation (@​wraithgar)
• 124df81 #​4910 fix: clean up npm cache tests (@​wraithgar)
• ee3308a fix: remove dead code from get-identity (@​wraithgar)
• 357b0af #​4917 fix: pass prefix and workspaces to libnpmpack (@​nlf)
• 0f89e07 #​4935 fix: add global getter to npm class (@​nlf)

Documentation

• 83ed8d0 #​4922 docs: update roadmap link in readme (@​OmriBarZik)
• ed054d4 #​4933 docs: fix broken link in changelog (@​yonran)

Dependencies

• 632ce87 #​4915 deps: cacache@16.1.0
• 7b2b77a #​4915 deps: make-fetch-happen@10.1.5
• f3b0a24 #​4915 deps: pacote@13.4.1
• 0df3011 #​4915 deps: ssri@9.0.1
• dc38ab9 #​4919 deps: npm-packlist@5.0.4
• 353e2f9 #​4940 deps: pacote@13.5.0 npm-packlist@5.1.0
• f4d4126 #​4941 deps: libnpmpack@4.1.0

v8.10.0

Compare Source

v8.10.0 (2022-05-11)

Features

• 911f55d #​4864 feat: add --iwr alias for --include-workspace-root (@​fritzy)
• bfb8bcc #​4874 feat: add flag --omit-lockfile-registry-resolved (@​fritzy) (Caleb ツ Everett)

Bug Fixes

• 48d2db6 #​4862 fix: remove test coverage map (@​wraithgar)
• 38cf29a #​4868 fix: cleanup star/unstar (@​wraithgar)
• 5baa4a7 #​4857 fix: consolidate bugs, docs, repo command logic (@​wraithgar)
• 5a50762 #​4875 fix(arborist): link deps lifecycle scripts (@​ruyadorno)

Dependencies

• d58bf40 #​4856 deps: npm-packlist@5.0.3
• 86f443e #​4872 deps: make-fetch-happen@10.1.3
• f9984e6 #​4880 deps: @npmcli/arborist@5.2.0
• ba59915 #​4881 deps: socks-proxy-agent@6.2.0
• c0806ba #​4881 deps: http-proxy-agent@5.0.1
• cc7be6b #​4881 deps: is-core-module@2.9.0
• 0432c7d #​4881 deps: lru-cache@7.9.0
• 5778820 #​4881 deps: just-diff@5.0.2
• 893dd00 #​4881 deps: ip@1.1.8
• 6ab85bd #​4881 deps: builtins@5.0.1

v8.9.0

Compare Source

v8.9.0 (2022-05-04)

Features

• 62af3a1 #​4835 feat: make npm owner workspace aware (@​wraithgar)

Bug Fixes

• d654e7e #​4781 fix: start consolidating color output (@​wraithgar)
• b9a966c #​4843 fix(exec): ignore packageLockOnly flag (@​nlf)

Documentation

• 8fd7eec #​4845 docs: remove incorrect v6 auto prune info (@​wraithgar)
• 5f59f80 #​4847 docs: show complex object interactions in npm pkg (@​wraithgar)

Dependencies

• 62faf8a #​4837 deps: pacote@13.2.0
• 4ff7d3d #​4816 deps: cacache@16.0.7
• e2e9c81 #​4852 deps: pacote@13.3.0

v8.8.0

Compare Source

v8.8.0 (2022-04-27)

Features

• bedd8a1 #​4745 feat: add install-links config definition (@​nlf)

Bug Fixes

• 6253d19 #​4643 fix(exec): workspaces support (@​ruyadorno)
• e9163b4 #​4657 fix(libnpmpublish): unpublish from custom registry (@​ruyadorno)
• a677f49 #​4778 fix: Use node in and fallback to PATH if not found (@​elibus)
• b10462e #​4752 fix: completion for deprecate cmd (@​wraithgar)
• ced0acf #​4775 fix: consolidate registryConfig application logic (@​wraithgar)
• b06e89f #​4679 fix(install): do not install invalid package name (@​ruyadorno)
• 9ea2603 #​4786 fix: normalize win32 paths before globbing (@​lukekarrys)
• 8da28b4 #​4757 fix: remove lib/utils/read-package-name.js (@​wraithgar)

Documentation

• a6ea884 #​4745 docs: add some more docs for --install-links (@​nlf)
• 6cd6831 #​4782 docs: explain that _auth only goes to npm registry (@​wraithgar)
• fa3d829 #​4772 docs: include org instructions in scoped publish (@​bnb)

Dependencies

• 36899d1 #​4807 deps: @npmcli/arborist@5.1.1
  • 0ebadf5 #​4745 add support for installLinks (@​nlf)
  • 3d96494 #​4745 when replacing a Link with a Node, make sure to remove the Link target from the root (@​nlf)
• 3f2b24a #​4786 deps: @npmcli/map-workspaces@2.0.3
• b1b6948 #​4808 deps: libnpmexec@4.0.5
  • 4a46a27 #​4777 fix read mixed local/registry pkg (@​ruyadorno)
• 9f57404 #​4743 deps: npm-registry-fetch@13.1.1
• 532883f #​4786 deps: cacache@16.0.6
• 4d1398e #​4786 deps: npm-profile@6.0.3
• 5e31322 #​4786 deps: npmlog@6.0.2
• 4eb2ccb #​4786 deps: read-package-json@5.0.1
• aeb54e4 #​4786 deps: glob@8.0.1
• 252b2b1 #​4786 deps: npm-packlist@5.0.2
• c51e553 #​4786 deps: semver@7.3.7
• 13299ee #​4786 deps: lru-cache@7.8.1
• 0f2da5d #​4786 deps: cli-table3@​0.6.2
• 0ee57f1 #​4805 deps: libnpmpublish@6.0.4
• 8a633a4 #​4806 deps: libnpmversion@3.0.4

v8.7.0

Compare Source

v8.7.0 (2022-04-13)

Features

• 6611e91 #​4723 feat(config): add more npm/node information to config ls (@​lukekarrys)
• c057b90 #​4740 feat(config): warn on deprecated configs (@​lukekarrys)

Bug Fixes

• 2829cb2 #​4658 fix: update readme badges (@​lukekarrys)
• e3da5df #​4667 fix: replace deprecated String.prototype.substr() (@​CommanderRoot)
• 2a26e5e #​4645 fix: remove dedupe --save (@​wraithgar)
• 47438ff #​4645 fix: do not export npm_config_include_workspace_root (@​wraithgar)
• 840c338 #​4678 fix(run-script): don't cascade if-present config (@​ruyadorno)
• 4d676e3 #​4709 fix(arborist): when reloading an edge, also refresh overrides (@​nlf)
• 3f7fe17 #​4659 fix: skip update notifier file if not requested (@​lukekarrys)
• 5ba7f0c #​4726 fix: show more information during publish dry-run (@​lukekarrys)
• aa4a4da #​4735 fix(arborist): dont skip adding advisories to audit based on name/range (@​lukekarrys)
• 0cd852f #​4741 fix: mitigate doctor test race condition (@​wraithgar)
• ba8b2a7 #​4744 fix(ls): make --omit filter npm ls (@​lukekarrys)

Documentation

• 85b3c48 #​4666 docs(ci): add note that configuration must be consistent between install and ci (@​nlf)
• 44108f7 #​4670 docs: fix npm-uninstall typo (@​JSKitty)

Dependencies

• aaf86f6 #​4674 deps: @npmcli/metavuln-calculator@3.1.0
• 4a9a705 #​4691 deps: @npmcli/package-json@2.0.0
• 1a90b9e #​4691 deps: treeverse@2.0.0
• f86f1af #​4691 deps: @npmcli/disparity-colors@2.0.0
• 3a76dff #​4691 deps: make-fetch-happen@10.1.2
• 0230428 #​4691 deps: @npmcli/config@4.0.2
• 82dc75f #​4691 deps: npm-pick-manifest@7.0.1
• ad99360 #​4691 deps: npm-install-checks@5.0.0
• 79fc706 #​4691 deps: bin-links@3.0.1
• 1f2fb1e #​4691 deps: @npmcli/git@3.0.1
• 0f23c33 #​4691 deps: @npmcli/run-script@3.0.2
• 485753d #​4691 deps: cacache@16.0.4
• e9b25cd #​4691 deps: @npmcli/move-file@2.0.0
• 0e87cac #​4691 deps: @npmcli/node-gyp@2.0.0
• b632746 #​4691 deps: @npmcli/promise-spawn@3.0.0
• b1863bf #​4691 deps: pacote@13.1.1
• a2781a3 #​4691 deps: ssri@9.0.0
• 5172e03 #​4691 deps: ini@3.0.0
• 71296d5 #​4691 deps: npm-package-arg@9.0.2
• 69d8343 #​4691 deps: graceful-fs@4.2.10
• c44c2b0 #​4691 deps: lru-cache@7.7.3
• 38029ed #​4691 deps: dezalgo@1.0.4
• e57353c #​4691 deps: semver@7.3.6
• 1b30c72 #​4691 deps: minimatch@5.0.1
• c70232c #​4706 deps: @npmcli/arborist@5.0.5
• baff482 #​4705 deps: libnpmdiff@4.0.3
• dda8a97 #​4704 deps: libnpmorg@4.0.3
• 8914864 #​4703 deps: libnpmaccess@6.0.3
• 3516f61 #​4702 deps: libnpmfund@3.0.2
• ecd22b0 #​4701 deps: libnpmversion@3.0.2
• 7ed9faf #​4700 deps: libnpmhook@8.0.3
• df92e23 #​4699 deps: libnpmexec@4.0.3
• 5074adc #​4698 deps: libnpmsearch@5.0.3
• 35e5100 #​4697 deps: libnpmteam@4.0.3
• 86f5b27 #​4696 deps: libnpmpack@4.0.3
• 1617bce #​4695 deps: libnpmpublish@6.0.3
• e33aa0f #​4714 deps: remove stringify-package
• 98377d1 #​4740 deps: @npmcli/config@4.1.0
• 605ccef #​4728 deps: remove ansistyles
• c22fb1e #​4728 deps: remove ansicolors
• 970244c #​4734 deps: libnpmversion@3.0.3
• 42dc0b0 #​4733 deps: @npmcli/arborist@5.0.6

v8.6.0

Compare Source

v8.6.0 (2022-03-31)

Features

• 723a0918a #​4588 feat(version): reify on workspace version change (@​ruyadorno)
• cc6c09431 #​4594 feat: add logs-dir config to set custom logging location (@​lukekarrys)

Bug Fixes

• 98bfd9a8c fix: remove always true condition (#​4590) (@​XhmikosR)
• 81afa5a88 #​4601 fix(unpublish): properly apply publishConfig (@​wraithgar)
• 716a07fde #​4607 fix: 100% coverage in tests (@​wraithgar)
• 6f9cb490e #​4614 fix(arborist): handle link nodes in old lockfiles correctly (@​nlf)
• 18b8b9435 #​4617 fix(arborist): make sure resolveParent exists before checking props (@​nlf)
• bd96ae407 #​4599 fix(arborist): identify and repair invalid nodes in the virtual tree (@​nlf)
• 99d884542 #​4599 fix: make sure we loadOverrides on the root node in loadVirtual() (@​nlf)
• 45dd8b861 #​4609 fix: move shellout logic into commands (@​wraithgar)
• a64acc0bf #​4609 fix: really load all commands in tests, add description to birthday (@​wraithgar)
• d8dcc02cf #​4609 fix: consolidate command alias code (@​wraithgar)
• f76d4f2f6 #​4609 fix: consolidate is-windows code (@​wraithgar)
• 57d8f75eb #​4609 fix: consolidate node version support logic (@​wraithgar)
• 0a957f5e2 #​4609 fix: consolidate path delimiter logic (@​wraithgar)
• 738a40445 #​4609 fix: bump knownBroken to <12.5.0 (@​wraithgar)
• 8b65bfd5d #​4629 fix: return otplease fn results (@​wraithgar)
• d8d374d23 #​4632 fix: consolidate split-package-names (@​wraithgar)
• cc0a2ec99 #​4611 fix: work better with system manpages (#​4610) (@​d0sboots)
• 668ec7f33 #​4644 fix: only call npmlog progress methods if explicitly requested (@​lukekarrys)

Documentation

• ff1367f01 #​4641 docs: recommend prepare over prepublish (@​verhovsky)

Dependencies

• 6df061ec2 #​4594 deps: npm-registry-fetch@13.1.0
• 6dd1139c9 #​4594 deps: cacache@16.0.3
• feb4446d5 #​4616 deps: make-fetch-happen@10.1.0
• c33b53311 #​4613 deps: minipass-fetch@2.1.0
• 6a4c8ff89 #​4606 deps: npm-audit-report@3.0.0
• 6e0a131d2 #​4627 deps: debug@4.3.4
• 0f1cd60a1 #​4627 deps: proc-log@2.0.1
• da377eed5 #​4627 deps: parse-conflict-json@2.0.2
• 726a8a07a #​4627 deps: gauge@4.0.4
• aac01b89c #​4628 deps: @npmcli/template-oss@3.2.1
• 52dfaf239 #​4630 deps: make-fetch-happen@10.1.1
• 9778a5387 #​4635 deps: init-package-json@3.0.2
• 86eff5dcc #​4635 deps: npm-package-arg@9.0.2
• 5b4cbb217 #​4635 deps: validate-npm-package-name@4.0.0
• a59fd2cb8 #​4639 deps: @npmcli/template-oss@3.2.2
• 679e569d5 #​4655 deps: @npmcli/arborist@5.0.4

v8.5.5

Compare Source

v8.5.5 (2022-03-17)

Bug Fixes

• 0e7511d14 #​4261 fix(arborist): _findMissingEdges missing dependency due to inconsistent path separators (@​salvadorj)
• c83069436 #​4547 fix: omit bots from authors (@​wraithgar)
• f66da2ed8 #​4565 fix(owner): bypass cache when fetching packument (@​wraithgar)
• f0c6e86ca #​4572 fix: remove name from unpublished message (@​wraithgar)
• f7e58fa74 #​4572 fix: remove "bug the author" message from package 404 (@​wraithgar)
• 5471ff5fe #​4573 fix: add isntall alias to install (@​wraithgar)
• 84d19210e #​4576 fix: properly show npm view ./directory (@​wraithgar)
• e9a2981f5 #​4578 fix(arborist): save workspace version (@​ruyadorno)

Documentation

• a30405258 #​4580 docs: add foreground-scripts and ignore-scripts to commands (@​wraithgar)
• 2361a68e1 #​4582 docs: add isntall alias to install command (@​wraithgar)
• 8ff1dfaae #​4575 docs: explain that linked deps need npm install ran in them (@​wraithgar)
• ddbb505ec #​4574 docs: explain that git-tag-version=false does not commit (@​wraithgar)
• 7c878b978 #​4584 docs: fix unpublish docs to auto generate usage (@​wraithgar)

Dependencies

• fcc6acfa8 #​4562 deps: @npmcli/metavuln-calculator@3.0.1
• 6d3145014 #​4562 deps: pacote@13.0.4
• f6b771aab #​4562 deps: make-fetch-happen@10.0.6
• e26548fb1 #​4562 deps: cacache@16.0.0
• 915dda7ab #​4562 deps: init-package-json@3.0.1
• f2ec2ef1f #​4562 deps: read-package-json@5.0.0
• 340fa51f4 #​4562 deps: pacote@13.0.5
• 9555a5f1d #​4562 deps: npm-package-arg@9.0.1
• b2a494283 #​4562 deps: normalize-package-data@4.0.0
• 1cb88f4b3 #​4562 deps: hosted-git-info@5.0.0
• f95396a03 #​4562 deps: cacache@16.0.1
• aec2bfecc #​4585 deps: cacache@16.0.2
• ed8ab63e4 deps: libnpmpack@4.0.2
• 0b73bfa82 deps: libnpmteam@4.0.2
• 475d59b36 deps: libnpmaccess@6.0.2
• 7201c7395 deps: libnpmsearch@5.0.2
• f5df358c3 deps: libnpmorg@4.0.2
• 472e7dd7a deps: libnpmhook@8.0.2
• c901d7290 deps: libnpmpublish@6.0.2
• aad53327f deps: @npmcli/arborist@5.0.3
• b40136bca deps: libnpmdiff@4.0.2
• 5d91201d1 deps: libnpmexec@4.0.2

v8.5.4

Compare Source

v8.5.4 (2022-03-10)

Bug Fixes

• fbdb43138 #​4529 fix(rebuild): don't run lifecycle scripts twice on linked deps (@​wraithgar)
• 1c182e11d #​4495 fix(doctor): don't retry ping (@​wraithgar)
• 55ab38c53 #​4495 fix(doctor): allow for missing local bin and node_modules (@​wraithgar)
• 5c06a33e6 #​4528 fix: clean up owner command and otplease (@​wraithgar)

Documentation

• 2485064da #​4524 docs: fix typo in configuring-npm/package-json.md (@​dlcmh)
• 91f03ee61 #​4510 docs: standardize changelog heading (@​wraithgar)

Dependencies

• 377f55e0e #​4530 deps: make-fetch-happen@10.0.5
  • add code property to unsupported proxy url error
• 40b7fbf67 #​4531 deps: read-package-json@4.1.2
  • don't throw exception on invalid main attr
• d9dc70ce4 #​4545 deps: map-workspaces@2.0.2
  • evaluate all patterns before throwing EDUPLICATEWORKSPACE
• 70fcfb46b deps: libnpmfund@3.0.1
• 621cd033f deps: @npmcli/arborist@5.0.2
• 087fdc4cb deps: libnpmpublish@6.0.1
• d24c6d288 deps: libnpmhook@8.0.1
• fa59830fc deps: libnpmsearch@5.0.1
• 6d5f22b86 deps: libnpmexec@4.0.1
• 69ea54350 deps: libnpmaccess@6.0.1
• 4742d7cf3 deps: libnpmteam@4.0.1
• fdd255ae9 deps: libnpmorg@4.0.1
• ed41bc101 deps: libnpmdiff@4.0.1
• 21e241025 deps: libnpmversion@3.0.1
• ec7f36ff9 deps: libnpmpack@4.0.1
• ad4b56414 deps: gauge@4.0.3

v8.5.3

Compare Source

v8.5.3 (2022-03-03)

Bug Fixes

• defe79ad6 #​4480 fix: publish of tarballs includes README in packument (@​fritzy)
• 45fc297f1 #​4479 fix: ignore implict workspace for some commands (@​fritzy)
• a0900bdf1 #​4481 fix(ls): respect --include-workspace-root (@​fritzy)
• 0cfc155db #​4476 fix: set proper workspace repo urls in package.json (@​ljharb)
• 9e43de8a5 #​4493 fix: ignore implicit workspace for whoami (@​nlf)

Dependencies

• d13f067d9 #​4490 deps: @npmcli/run-script@3.0.1 (@​wraithgar)
• ce9a6eac0 #​4490 deps: node-gyp@9.0.0 (@​wraithgar)
• bd660f5f1 #​4490 deps: @npmcli/config@4.0.1
• 3c17b6965 #​4490 deps: make-fetch-happen@10.0.4
• e9b69c4c5 #​4490 deps: npm-registry-fetch@13.0.1
• cf27ca888 #​4490 deps: write-file-atomic@4.0.1
• f3421921a #​4490 deps: gauge@4.0.2
• 1dd2f7ee1 #​4490 deps: socks@2.6.2
• 236e3b403 #​4490 deps: minimatch@3.1.2 (@​wraithgar)
• 10e1326d2 #​4490 deps: lru-cache@7.4.0

v8.5.2

Compare Source

v8.5.2 (2022-02-24)

Bug Fixes

• 9bdd1ace8 #​4300 fix(arborist): use full location as tracker key when inflating (@​lukekarrys) (@​kirtangajjar)
• c9ff797e8 [#​4457](https://redirect.github.com

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

Merging #98 (5297733) into master (8f15309) will increase coverage by 9.11%.
Report is 12 commits behind head on master.
The diff coverage is n/a.

❗ Current head 5297733 differs from pull request most recent head 8a0b072. Consider uploading reports for the commit 8a0b072 to get more accurate results

@@            Coverage Diff             @@
##           master      #98      +/-   ##
==========================================
+ Coverage   72.51%   81.63%   +9.11%     
==========================================
  Files          10       11       +1     
  Lines         171      196      +25     
  Branches       36       36              
==========================================
+ Hits          124      160      +36     
+ Misses         41       21      -20     
- Partials        6       15       +9     

see 8 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information