chore(deps): update npm to v11 [security] - autoclosed#214
Closed
renovate[bot] wants to merge 1 commit intomasterfrom
Closed
chore(deps): update npm to v11 [security] - autoclosed#214renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
renovate
bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
>= 3.0.0→>= 11.9.0npm Token Leak in npm
CVE-2016-3956 / GHSA-m5h6-hr3q-22h5
More information
Details
Affected versions of the
npmpackage include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user's active registry.An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user's token.
This compromised token could be used to do anything that the user could do, including publishing new packages.
Recommendation
npm install npm@latest -gSeverity
High
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Incorrect Permission Assignment for Critical Resource in NPM
CVE-2018-7408 / GHSA-ph34-pc88-72gc
More information
Details
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.
Severity
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Arbitrary File Write in npm
CVE-2019-16775 / GHSA-m6cx-g6qm-p2cx
More information
Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running
npm installhas access to and it is not possible to over write files that already exist on disk.This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.3 or later.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
npm symlink reference outside of node_modules
CVE-2019-16776 / GHSA-x8qc-rrcw-4r46
More information
Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the
node_modulesfolder through thebinfield upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running thenpm installare affected.This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.3 or later.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
npm Vulnerable to Global node_modules Binary Overwrite
CVE-2019-16777 / GHSA-4328-8hgf-7wjr
More information
Details
Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.
For example, if a package was installed globally and created a
servebinary, any subsequent installs of packages that also create aservebinary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.4 or later.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
npm CLI exposing sensitive information through logs
CVE-2020-15095 / GHSA-93f3-23rq-pjfp
More information
Details
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like
<protocol>://[<user>[:<password>]@​]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
CVE-2026-0775 / GHSA-3966-f6p6-2qr9
More information
Details
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.
Severity
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
npm/cli (npm)
v11.9.0Compare Source
Features
f5f6cf7#8943 config: add --allow-git (@wraithgar)Bug Fixes
2242f25#8952 webauth: improve error messages around webauth in non-TTY (#8952) (@Andarist)Dependencies
332c9f3#8960glob@13.0.1eca02c7#8960minimatch@10.1.2@isaacs/brace-expansion@5.0.1b3f8475#8951minipass-fetch@5.0.1924171b#8951is-cidr@6.0.24404002#8951ci-info@4.4.0b65af73#8951lru-cache@11.2.5164c355#8951tar@7.5.7a74a19c#8951node-gyp@12.2.0e0bc212#8943pacote@21.1.0Chores
4a82a8f#8951 dev dependency updates (@wraithgar)@npmcli/arborist@9.2.0@npmcli/config@10.6.0libnpmdiff@8.1.0libnpmexec@10.2.0libnpmfund@7.0.14libnpmpack@9.1.0v11.8.0Compare Source
Features
545e861#8828 show proxy environment variables in npm config list (Max Black)Bug Fixes
c2f784d#8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@saksham-malhotra-27)f2c3af7#8840 more intuitive byte formatting boundaries for rounding (#8840) (@watilde)Documentation
3474ec3#8866 fix typo/logic error in npm-dedupe docs (#8866) (@Schweinepriester)5552e46#8797 npm-install: explain package-lock.json behavior (#8797) (@MaxBlack-dev, Max Black)Dependencies
f478ca0#8919postcss-selector-parser@7.1.12b6a71f#8919path-scurry@2.0.119096f2#8919sigstore@4.1.0e7f5d1e#8919lru-cache@11.2.49e756ae#8919ip-address@10.1.0f951820#8919common-ancestor-path@2.0.07a949ad#8919@sigstore/verify@3.1.06979ce1#8919@sigstore/sign@4.1.0b4a6a41#8919@sigstore/core@3.1.0dc8a8e8#8919@sigstore/tuf@4.0.1be221ea#8919validate-npm-package-name@7.0.2149823d#8919diff@8.0.332b2001#8919tar@7.5.4Chores
8f599df#8919 pin jsdom to 27.0.0 (@wraithgar)f4f1161#8919 dev dependency updates (@wraithgar)@npmcli/arborist@9.1.10@npmcli/config@10.5.0libnpmdiff@8.0.13libnpmexec@10.1.12libnpmfund@7.0.13libnpmpack@9.0.13v11.7.0Compare Source
Features
b380d15#8697 add deduping to notices unless in verbose+ mode (@owlstronaut)Bug Fixes
4ebb831#8839 updates hints to use cli paradigm (@owlstronaut)7896e51#8838 update the token list text (@owlstronaut)8ab8668#8836 query: support package-lock-only in workspaces (@watilde)35e8d38#8322 properly handle newlines with input when using the spinner (#8322) (@mbtools)0c0faae#8780 adduser: improve email prompt (#8780) (@mbtools)Documentation
7f2ab9d#8810 scripts: replace deprecated prepublish and install examples with prepare (Max Black)91ebab7#8847 remove note about token create being disabled (@owlstronaut)2030250#8822 scripts: clarify prepare script runs with --production (Max Black)33a50d7#8821 scripts: update npm_package_* environment variables documentation (Max Black)50508f9#8793 package-json: add documentation for type field (#8793) (@MaxBlack-dev, Max Black)aa1dd7e#8823 scripts: document that prepare scripts run concurrently in workspaces (Max Black)3f48487#8820 package-spec: fix alias syntax in examples (Max Black)dd104da#8812 version: add note about git version requirements (Max Black)58afdcc#8792 install: clarify prerelease version range behavior (Max Black)9f818e8#8795 npm-view: clarify object property access syntax and provide examples (Max Black)39c2f2e#8791 add examples for command line flags including --prefix (Max Black)1298530#8790 clarify version field can be omitted in package-lock (Max Black)090b6ca#8794 npx: clarify that arguments are passed to executed command (Max Black)a864f80#8787 document gypfile field in package.json (Max Black)2fc689d#8788 add field access patterns to npm view (Max Black)4850639#8796 package-json: add examples for replacing dependencies with forks in overrides (Max Black)4864dd4#8798 npm-install: document engines field priority when installing packages (Max Black)95d25cd#8799 package-json: clarify repository field normalization during publish (Max Black)a367f9b#8800 package-lock-json: clarify that version field may be omitted for certain dependencies (Max Black)ffc9b71#8801 npm-install: clarify --tag does not override package.json (#8801) (@MaxBlack-dev, Max Black)73688ca#8735 clarify npm version behavior with prerelease versions (#8735) (@yashwantbezawada)4a32606#8785 updates the token create documentation (#8785) (@owlstronaut, @wraithgar)Chores
54929ce#8836 update baseline-browser-mapping (@watilde)Dependencies
@npmcli/arborist@9.1.9@npmcli/config@10.4.5libnpmdiff@8.0.12libnpmexec@10.1.11libnpmfund@7.0.12libnpmpack@9.0.12v11.6.4Compare Source
Documentation
dfb83c7#8749 add example for keywords field (#8749) (@MaxBlack-dev, Max Black)1b1e227#8750 remove outdated roadmap link (#8750) (@MaxBlack-dev, Max Black)1333d57#8752 clarify .npmrc naming convention for environment variable overrides (#8752) (@MaxBlack-dev)22cddb8#8755 add workspace dependencies example to workspaces (Max Black)17e154c#8756 standardize env vars to uppercase convention (Max Black)1e51a25#8754 fix lifecycle event order for prepare script (Max Black)8d72bc9#8753 add os, cpu, and funding fields to package-lock.json (Max Black)Dependencies
f56bb13#8779proc-log@6.1.0(#8779)f963223#8770proggy@4.0.0f51e4aa#8770nopt@9.0.02d15040#8770@npmcli/query@5.0.09d77b84#8770@npmcli/installed-package-contents@4.0.0e2ac092#8770read@5.0.16e5bfd9#8770init-package-json@8.2.47f8e237#8770p-map@7.0.4a4aa218#8770npm-user-validate@4.0.06430446#8770npm-audit-report@7.0.058650dc#8770@npmcli/fs@5.0.04a11146#8770glob@13.0.000511d4#8770@npmcli/cacache@20.0.3224afa2#8770@npmcli/map-workspaces@5.0.3664ac34#8770@npmcli/package-json@7.0.4@npmcli/arborist@9.1.8@npmcli/config@10.4.4libnpmdiff@8.0.11libnpmexec@10.1.10libnpmfund@7.0.11libnpmpack@9.0.11v11.6.3Compare Source
Bug Fixes
c6242d9#8706 change npm profile to create tokens with GAT support (#8706) (@owlstronaut, @wraithgar)cbc6fa9#8731 order of version information in error message (#8731) (@piotrd, @pd-be)11dbd7e#8709 display full token when creating authentication tokens (#8709) (@MaxBlack-dev, Max Black)49a4eef#8676 use look behind regex for trailing slash stripping (#8676) (@wraithgar)b1aee62#8645 dep flag calculation (#8645) (@liamcmitchell)Documentation
ca53c21#8745 add workspace usage examples (#8745) (@MaxBlack-dev, Max Black)e71ca0e#8746 add --save flag to documentation (#8746) (@MaxBlack-dev, Max Black)06510a8#8683 add ignore-scripts option to npm version help and docs (#8683) (@Tejas242)Dependencies
7f72238#8723cacache@20.0.27ac9db8#8723init-package-json@8.2.341e97c6#8723validate-npm-package-name@7.0.06b1fbe1#8723npm-package-arg@13.0.2aa1d486#8723@npmcli/promise-spawn@9.0.1599c819#8723which@6.0.0e49286e#8723ini@5.0.0b7c9f96#8723@npmcli/promise-spawn@9.0.08cc9f70#8723ssri@13.0.00b7274f#8723pacote@21.0.459b3c6a#8723@npmcli/redact@4.0.0578abad#8723node-gyp@12.1.089c4151#8723@npmcli/git@7.0.1c6d109d#8723make-fetch-happen@15.0.334d8599#8723npm-registry-fetch@19.1.14811a86#8723@npmcli/run-script@10.0.36cb77df#8723@npmcli/installed-package-contents@4.0.005ac7a7#8723proc-log@6.0.00a74f6d#8723bin-links@6.0.0c02ce5c#8723@npmcli/package-json@7.0.29c0cefa#8723json-parse-even-better-errors@5.0.0041b9b2#8723parse-conflict-json@5.0.1a1b0fea#8723@npmcli/name-from-folder@4.0.0a085745#8723abbrev@4.0.000d9c7d#8723nopt@9.0.03404dca#8723npm-install-checks@8.0.0542fcf3#8723@npmcli/node-gyp@5.0.089e14d3#8723tar@7.5.25383f3a#8723npm-registry-fetch@19.1.01bb9a7d#8723npm-profile@12.0.1de619a4#8723npm-pick-manifest@11.0.30e042ec#8723npm-packlist@10.0.32a3c338#8723node-gyp@11.5.0b96e86c#8723minimatch@10.1.1d347329#8723exponential-backoff@3.1.3d6830f4#8723@npmcli/run-script@10.0.2bcc7ec8#8723@npmcli/metavuln-calculator@9.0.37a419df#8723@npmcli/map-workspaces@5.0.1Chores
32bdd83#8723 fix package-lock (@wraithgar)4bff14b#8670 write tarball to testDir (#8670) (@wraithgar)679486b#8672 fix lockfile (#8672) (@wraithgar)@npmcli/arborist@9.1.7@npmcli/config@10.4.3libnpmdiff@8.0.10libnpmexec@10.1.9libnpmfund@7.0.10libnpmpack@9.0.10libnpmpublish@11.1.3libnpmversion@8.0.3v11.6.2Compare Source
Bug Fixes
c54d1e9#8633 progress bar code cleanup (#8633) (@wraithgar)d352e27#8629 do not redact notice logs going to stdout (#8629) (@wraithgar)5ac3678#8617 spelling in ./lib and ./test/lib (#8617) (@jsoref)9197995#8619 spelling (#8619) (@jsoref)dd884e3#8618 spelling (#8618) (@jsoref)f6028e6#8614 skip redacting urls meant for opening by the user (#8614) (@wraithgar, @jolyndenning)54fd27f#8602 refactor node.ideallyInert to node.inert (#8602) (@liamcmitchell)79e3c1e#8593 use @npmcli/package-json to normalize package data (@wraithgar)Documentation
0469c5e#8639 rewrap markdown (#8639) (@jsoref)9ceb9c1#8636 rewrap markdown (#8636) (@jsoref)6324370#8616 fix spelling (#8616) (@jsoref)1b0429a#8607 Fix spelling (#8607) (@jsoref)7fbe07a#8603 clean up deprecatednpm accesscommands (#8603) (@jsoref)Dependencies
fa7cc6f](https://redirect.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.