npm CLI 信息泄露漏洞

npm CLI is a package manager from the US company npm. An information disclosure vulnerability exists in the npm CLI npm-packlist version v7.9.0 and v7.13.0, which stems from a runtime omission of the root-level .gitignore and .npmignore file exclusion directives...

GHSA-HJ9C-8JMM-8C52 Packing does not respect root-level ignore files in workspaces

Impact npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag ie. --workspaces, --workspace=. Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published...