Package Instance

Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
### Duplicate Advisory
This advisory has been withdrawn because describes a dependency bump and therefore, per [CVE CNA rule 4.1.12](https://www.cve.org/ResourcesSupport/AllResources/CNARules/#section_4-1_Vulnerability_Determination), is a duplicate of GHSA-34x7-hfp2-rc4v/CVE-2026-24842. Additionally, per https://github.com/npm/cli/issues/8939#issuecomment-3862719883, npm cli should not be listed as an affected product. This link is maintained to preserve external references.

### Original Description
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.

Packing does not respect root-level ignore files in workspaces
### Impact
`npm pack` ignores root-level `.gitignore` & `.npmignore` file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` with workspaces, as of [v7.9.0](https://github.com/npm/cli/releases/tag/v7.9.0) & [v7.13.0](https://github.com/npm/cli/releases/tag/v7.13.0) respectively, may be affected and have published files into the npm registry they did not intend to include.

### Patch
- Upgrade to the latest, patched version of `npm` ([`v8.11.0`](https://github.com/npm/cli/releases/tag/v8.11.0) or greater), run: `npm i -g npm@latest`
- Node.js versions [`v16.15.1`](https://github.com/nodejs/node/releases/tag/v16.15.1), [`v17.19.1`](https://github.com/nodejs/node/releases/tag/v17.9.1) & [`v18.3.0`](https://github.com/nodejs/node/releases/tag/v18.3.0) include the patched `v8.11.0` version of `npm`

#### Steps to take to see if you're impacted
1. Run `npm publish --dry-run` or `npm pack` with an `npm` version `>=7.9.0` & `<8.11.0` inside the project's root directory using a workspace flag like: `--workspaces` or `--workspace=<name>` (ex. `npm pack --workspace=foo`)
2. Check the output in your terminal which will list the package contents (note: `tar -tvf <package-on-disk>` also works)
3. If you find that there are files included you did not expect, you should:
  3.1. Create & publish a new release excluding those files (ref. ["Keeping files out of your Package"](https://docs.npmjs.com/cli/v8/using-npm/developers#keeping-files-out-of-your-package))
  3.2. Deprecate the old package (ex. `npm deprecate <pkg>[@<version>] <message>`)
  3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
### References
- [CVE-2022-29244](https://nvd.nist.gov/vuln/detail/CVE-2022-29244)
- [`npm-packlist`](https://github.com/npm/npm-packlist)
- [`libnpmpack`](https://github.com/npm/cli/tree/latest/workspaces/libnpmpack)
- [`libnpmpublish`](https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish)