fix(deps): update dependency npm to v8 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
npm (source)	^7.19.0 → ^8.0.0

GitHub Vulnerability Alerts

CVE-2022-29244

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

• Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
• Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
3. If you find that there are files included you did not expect, you should:
   3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
   3.2. Deprecate the old package (ex. npm deprecate <pkg>[@&#8203;<version>] <message>)
   3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

• CVE-2022-29244
• npm-packlist
• libnpmpack
• libnpmpublish

---

Release Notes

npm/cli (npm)

v8.11.0

Compare Source

v8.11.0 (2022-05-25)

Features

• 8898710 #​4879 feat: deprecated set-script, birthday, --global, and --local (@​fritzy)
• 7307c8d #​4940 feat(libnpmpack): bump pacote for better workspace awareness (@​nlf)

Bug Fixes

• 400c80f #​4913 fix(ci): remove node_modules post-validation (@​wraithgar)
• 124df81 #​4910 fix: clean up npm cache tests (@​wraithgar)
• ee3308a fix: remove dead code from get-identity (@​wraithgar)
• 357b0af #​4917 fix: pass prefix and workspaces to libnpmpack (@​nlf)
• 0f89e07 #​4935 fix: add global getter to npm class (@​nlf)

Documentation

• 83ed8d0 #​4922 docs: update roadmap link in readme (@​OmriBarZik)
• ed054d4 #​4933 docs: fix broken link in changelog (@​yonran)

Dependencies

• 632ce87 #​4915 deps: cacache@16.1.0
• 7b2b77a #​4915 deps: make-fetch-happen@10.1.5
• f3b0a24 #​4915 deps: pacote@13.4.1
• 0df3011 #​4915 deps: ssri@9.0.1
• dc38ab9 #​4919 deps: npm-packlist@5.0.4
• 353e2f9 #​4940 deps: pacote@13.5.0 npm-packlist@5.1.0
• f4d4126 #​4941 deps: libnpmpack@4.1.0

v8.10.0

Compare Source

v8.10.0 (2022-05-11)

Features

• 911f55d #​4864 feat: add --iwr alias for --include-workspace-root (@​fritzy)
• bfb8bcc #​4874 feat: add flag --omit-lockfile-registry-resolved (@​fritzy) (Caleb ツ Everett)

Bug Fixes

• 48d2db6 #​4862 fix: remove test coverage map (@​wraithgar)
• 38cf29a #​4868 fix: cleanup star/unstar (@​wraithgar)
• 5baa4a7 #​4857 fix: consolidate bugs, docs, repo command logic (@​wraithgar)
• 5a50762 #​4875 fix(arborist): link deps lifecycle scripts (@​ruyadorno)

Dependencies

• d58bf40 #​4856 deps: npm-packlist@5.0.3
• 86f443e #​4872 deps: make-fetch-happen@10.1.3
• f9984e6 #​4880 deps: @npmcli/arborist@5.2.0
• ba59915 #​4881 deps: socks-proxy-agent@6.2.0
• c0806ba #​4881 deps: http-proxy-agent@5.0.1
• cc7be6b #​4881 deps: is-core-module@2.9.0
• 0432c7d #​4881 deps: lru-cache@7.9.0
• 5778820 #​4881 deps: just-diff@5.0.2
• 893dd00 #​4881 deps: ip@1.1.8
• 6ab85bd #​4881 deps: builtins@5.0.1

v8.9.0

Compare Source

v8.9.0 (2022-05-04)

Features

• 62af3a1 #​4835 feat: make npm owner workspace aware (@​wraithgar)

Bug Fixes

• d654e7e #​4781 fix: start consolidating color output (@​wraithgar)
• b9a966c #​4843 fix(exec): ignore packageLockOnly flag (@​nlf)

Documentation

• 8fd7eec #​4845 docs: remove incorrect v6 auto prune info (@​wraithgar)
• 5f59f80 #​4847 docs: show complex object interactions in npm pkg (@​wraithgar)

Dependencies

• 62faf8a #​4837 deps: pacote@13.2.0
• 4ff7d3d #​4816 deps: cacache@16.0.7
• e2e9c81 #​4852 deps: pacote@13.3.0

v8.8.0

Compare Source

v8.8.0 (2022-04-27)

Features

• bedd8a1 #​4745 feat: add install-links config definition (@​nlf)

Bug Fixes

• 6253d19 #​4643 fix(exec): workspaces support (@​ruyadorno)
• e9163b4 #​4657 fix(libnpmpublish): unpublish from custom registry (@​ruyadorno)
• a677f49 #​4778 fix: Use node in and fallback to PATH if not found (@​elibus)
• b10462e #​4752 fix: completion for deprecate cmd (@​wraithgar)
• ced0acf #​4775 fix: consolidate registryConfig application logic (@​wraithgar)
• b06e89f #​4679 fix(install): do not install invalid package name (@​ruyadorno)
• 9ea2603 #​4786 fix: normalize win32 paths before globbing (@​lukekarrys)
• 8da28b4 #​4757 fix: remove lib/utils/read-package-name.js (@​wraithgar)

Documentation

• a6ea884 #​4745 docs: add some more docs for --install-links (@​nlf)
• 6cd6831 #​4782 docs: explain that _auth only goes to npm registry (@​wraithgar)
• fa3d829 #​4772 docs: include org instructions in scoped publish (@​bnb)

Dependencies

• 36899d1 #​4807 deps: @npmcli/arborist@5.1.1
  • 0ebadf5 #​4745 add support for installLinks (@​nlf)
  • 3d96494 #​4745 when replacing a Link with a Node, make sure to remove the Link target from the root (@​nlf)
• 3f2b24a #​4786 deps: @npmcli/map-workspaces@2.0.3
• b1b6948 #​4808 deps: libnpmexec@4.0.5
  • 4a46a27 #​4777 fix read mixed local/registry pkg (@​ruyadorno)
• 9f57404 #​4743 deps: npm-registry-fetch@13.1.1
• 532883f #​4786 deps: cacache@16.0.6
• 4d1398e #​4786 deps: npm-profile@6.0.3
• 5e31322 #​4786 deps: npmlog@6.0.2
• 4eb2ccb #​4786 deps: read-package-json@5.0.1
• aeb54e4 #​4786 deps: glob@8.0.1
• 252b2b1 #​4786 deps: npm-packlist@5.0.2
• c51e553 #​4786 deps: semver@7.3.7
• 13299ee #​4786 deps: lru-cache@7.8.1
• 0f2da5d #​4786 deps: cli-table3@​0.6.2
• 0ee57f1 #​4805 deps: libnpmpublish@6.0.4
• 8a633a4 #​4806 deps: libnpmversion@3.0.4

v8.7.0

Compare Source

v8.7.0 (2022-04-13)

Features

• 6611e91 #​4723 feat(config): add more npm/node information to config ls (@​lukekarrys)
• c057b90 #​4740 feat(config): warn on deprecated configs (@​lukekarrys)

Bug Fixes

• 2829cb2 #​4658 fix: update readme badges (@​lukekarrys)
• e3da5df #​4667 fix: replace deprecated String.prototype.substr() (@​CommanderRoot)
• 2a26e5e #​4645 fix: remove dedupe --save (@​wraithgar)
• 47438ff #​4645 fix: do not export npm_config_include_workspace_root (@​wraithgar)
• 840c338 #​4678 fix(run-script): don't cascade if-present config (@​ruyadorno)
• 4d676e3 #​4709 fix(arborist): when reloading an edge, also refresh overrides (@​nlf)
• 3f7fe17 #​4659 fix: skip update notifier file if not requested (@​lukekarrys)
• 5ba7f0c #​4726 fix: show more information during publish dry-run (@​lukekarrys)
• aa4a4da #​4735 fix(arborist): dont skip adding advisories to audit based on name/range (@​lukekarrys)
• 0cd852f #​4741 fix: mitigate doctor test race condition (@​wraithgar)
• ba8b2a7 #​4744 fix(ls): make --omit filter npm ls (@​lukekarrys)

Documentation

• 85b3c48 #​4666 docs(ci): add note that configuration must be consistent between install and ci (@​nlf)
• 44108f7 #​4670 docs: fix npm-uninstall typo (@​JSKitty)

Dependencies

• aaf86f6 #​4674 deps: @npmcli/metavuln-calculator@3.1.0
• 4a9a705 #​4691 deps: @npmcli/package-json@2.0.0
• 1a90b9e #​4691 deps: treeverse@2.0.0
• f86f1af #​4691 deps: @npmcli/disparity-colors@2.0.0
• 3a76dff #​4691 deps: make-fetch-happen@10.1.2
• 0230428 #​4691 deps: @npmcli/config@4.0.2
• 82dc75f #​4691 deps: npm-pick-manifest@7.0.1
• ad99360 #​4691 deps: npm-install-checks@5.0.0
• 79fc706 #​4691 deps: bin-links@3.0.1
• 1f2fb1e #​4691 deps: @npmcli/git@3.0.1
• 0f23c33 #​4691 deps: @npmcli/run-script@3.0.2
• 485753d #​4691 deps: cacache@16.0.4
• e9b25cd #​4691 deps: @npmcli/move-file@2.0.0
• 0e87cac #​4691 deps: @npmcli/node-gyp@2.0.0
• b632746 #​4691 deps: @npmcli/promise-spawn@3.0.0
• b1863bf #​4691 deps: pacote@13.1.1
• a2781a3 #​4691 deps: ssri@9.0.0
• 5172e03 #​4691 deps: ini@3.0.0
• 71296d5 #​4691 deps: npm-package-arg@9.0.2
• 69d8343 #​4691 deps: graceful-fs@4.2.10
• c44c2b0 #​4691 deps: lru-cache@7.7.3
• 38029ed #​4691 deps: dezalgo@1.0.4
• e57353c #​4691 deps: semver@7.3.6
• 1b30c72 #​4691 deps: minimatch@5.0.1
• c70232c #​4706 deps: @npmcli/arborist@5.0.5
• baff482 #​4705 deps: libnpmdiff@4.0.3
• dda8a97 #​4704 deps: libnpmorg@4.0.3
• 8914864 #​4703 deps: libnpmaccess@6.0.3
• 3516f61 #​4702 deps: libnpmfund@3.0.2
• ecd22b0 #​4701 deps: libnpmversion@3.0.2
• 7ed9faf #​4700 deps: libnpmhook@8.0.3
• df92e23 #​4699 deps: libnpmexec@4.0.3
• 5074adc #​4698 deps: libnpmsearch@5.0.3
• 35e5100 #​4697 deps: libnpmteam@4.0.3
• 86f5b27 #​4696 deps: libnpmpack@4.0.3
• 1617bce #​4695 deps: libnpmpublish@6.0.3
• e33aa0f #​4714 deps: remove stringify-package
• 98377d1 #​4740 deps: @npmcli/config@4.1.0
• 605ccef #​4728 deps: remove ansistyles
• c22fb1e #​4728 deps: remove ansicolors
• 970244c #​4734 deps: libnpmversion@3.0.3
• 42dc0b0 #​4733 deps: @npmcli/arborist@5.0.6

v8.6.0

Compare Source

v8.6.0 (2022-03-31)

Features

• 723a0918a #​4588 feat(version): reify on workspace version change (@​ruyadorno)
• cc6c09431 #​4594 feat: add logs-dir config to set custom logging location (@​lukekarrys)

Bug Fixes

• 98bfd9a8c fix: remove always true condition (#​4590) (@​XhmikosR)
• 81afa5a88 #​4601 fix(unpublish): properly apply publishConfig (@​wraithgar)
• 716a07fde #​4607 fix: 100% coverage in tests (@​wraithgar)
• 6f9cb490e #​4614 fix(arborist): handle link nodes in old lockfiles correctly (@​nlf)
• 18b8b9435 #​4617 fix(arborist): make sure resolveParent exists before checking props (@​nlf)
• bd96ae407 #​4599 fix(arborist): identify and repair invalid nodes in the virtual tree (@​nlf)
• 99d884542 #​4599 fix: make sure we loadOverrides on the root node in loadVirtual() (@​nlf)
• 45dd8b861 #​4609 fix: move shellout logic into commands (@​wraithgar)
• a64acc0bf #​4609 fix: really load all commands in tests, add description to birthday (@​wraithgar)
• d8dcc02cf #​4609 fix: consolidate command alias code (@​wraithgar)
• f76d4f2f6 #​4609 fix: consolidate is-windows code (@​wraithgar)
• 57d8f75eb #​4609 fix: consolidate node version support logic (@​wraithgar)
• 0a957f5e2 #​4609 fix: consolidate path delimiter logic (@​wraithgar)
• 738a40445 #​4609 fix: bump knownBroken to <12.5.0 (@​wraithgar)
• 8b65bfd5d #​4629 fix: return otplease fn results (@​wraithgar)
• d8d374d23 #​4632 fix: consolidate split-package-names (@​wraithgar)
• cc0a2ec99 #​4611 fix: work better with system manpages (#​4610) (@​d0sboots)
• 668ec7f33 #​4644 fix: only call npmlog progress methods if explicitly requested (@​lukekarrys)

Documentation

• ff1367f01 #​4641 docs: recommend prepare over prepublish (@​verhovsky)

Dependencies

• 6df061ec2 #​4594 deps: npm-registry-fetch@13.1.0
• 6dd1139c9 #​4594 deps: cacache@16.0.3
• feb4446d5 #​4616 deps: make-fetch-happen@10.1.0
• c33b53311 #​4613 deps: minipass-fetch@2.1.0
• 6a4c8ff89 #​4606 deps: npm-audit-report@3.0.0
• 6e0a131d2 #​4627 deps: debug@4.3.4
• 0f1cd60a1 #​4627 deps: proc-log@2.0.1
• da377eed5 #​4627 deps: parse-conflict-json@2.0.2
• 726a8a07a #​4627 deps: gauge@4.0.4
• aac01b89c #​4628 deps: @npmcli/template-oss@3.2.1
• 52dfaf239 #​4630 deps: make-fetch-happen@10.1.1
• 9778a5387 #​4635 deps: init-package-json@3.0.2
• 86eff5dcc #​4635 deps: npm-package-arg@9.0.2
• 5b4cbb217 #​4635 deps: validate-npm-package-name@4.0.0
• a59fd2cb8 #​4639 deps: @npmcli/template-oss@3.2.2
• 679e569d5 #​4655 deps: @npmcli/arborist@5.0.4

v8.5.5

Compare Source

v8.5.5 (2022-03-17)

Bug Fixes

• 0e7511d14 #​4261 fix(arborist): _findMissingEdges missing dependency due to inconsistent path separators (@​salvadorj)
• c83069436 #​4547 fix: omit bots from authors (@​wraithgar)
• f66da2ed8 #​4565 fix(owner): bypass cache when fetching packument (@​wraithgar)
• f0c6e86ca #​4572 fix: remove name from unpublished message (@​wraithgar)
• f7e58fa74 #​4572 fix: remove "bug the author" message from package 404 (@​wraithgar)
• 5471ff5fe #​4573 fix: add isntall alias to install (@​wraithgar)
• 84d19210e #​4576 fix: properly show npm view ./directory (@​wraithgar)
• e9a2981f5 #​4578 fix(arborist): save workspace version (@​ruyadorno)

Documentation

• a30405258 #​4580 docs: add foreground-scripts and ignore-scripts to commands (@​wraithgar)
• 2361a68e1 #​4582 docs: add isntall alias to install command (@​wraithgar)
• 8ff1dfaae #​4575 docs: explain that linked deps need npm install ran in them (@​wraithgar)
• ddbb505ec #​4574 docs: explain that git-tag-version=false does not commit (@​wraithgar)
• 7c878b978 #​4584 docs: fix unpublish docs to auto generate usage (@​wraithgar)

Dependencies

• fcc6acfa8 #​4562 deps: @npmcli/metavuln-calculator@3.0.1
• 6d3145014 #​4562 deps: pacote@13.0.4
• f6b771aab #​4562 deps: make-fetch-happen@10.0.6
• e26548fb1 #​4562 deps: cacache@16.0.0
• 915dda7ab #​4562 deps: init-package-json@3.0.1
• f2ec2ef1f #​4562 deps: read-package-json@5.0.0
• 340fa51f4 #​4562 deps: pacote@13.0.5
• 9555a5f1d #​4562 deps: npm-package-arg@9.0.1
• b2a494283 #​4562 deps: normalize-package-data@4.0.0
• 1cb88f4b3 #​4562 deps: hosted-git-info@5.0.0
• f95396a03 #​4562 deps: cacache@16.0.1
• aec2bfecc #​4585 deps: cacache@16.0.2
• ed8ab63e4 deps: libnpmpack@4.0.2
• 0b73bfa82 deps: libnpmteam@4.0.2
• 475d59b36 deps: libnpmaccess@6.0.2
• 7201c7395 deps: libnpmsearch@5.0.2
• f5df358c3 deps: libnpmorg@4.0.2
• 472e7dd7a deps: libnpmhook@8.0.2
• c901d7290 deps: libnpmpublish@6.0.2
• aad53327f deps: @npmcli/arborist@5.0.3
• b40136bca deps: libnpmdiff@4.0.2
• 5d91201d1 deps: libnpmexec@4.0.2

v8.5.4

Compare Source

v8.5.4 (2022-03-10)

Bug Fixes

• fbdb43138 #​4529 fix(rebuild): don't run lifecycle scripts twice on linked deps (@​wraithgar)
• 1c182e11d #​4495 fix(doctor): don't retry ping (@​wraithgar)
• 55ab38c53 #​4495 fix(doctor): allow for missing local bin and node_modules (@​wraithgar)
• 5c06a33e6 #​4528 fix: clean up owner command and otplease (@​wraithgar)

Documentation

• 2485064da #​4524 docs: fix typo in configuring-npm/package-json.md (@​dlcmh)
• 91f03ee61 #​4510 docs: standardize changelog heading (@​wraithgar)

Dependencies

• 377f55e0e #​4530 deps: make-fetch-happen@10.0.5
  • add code property to unsupported proxy url error
• 40b7fbf67 #​4531 deps: read-package-json@4.1.2
  • don't throw exception on invalid main attr
• d9dc70ce4 #​4545 deps: map-workspaces@2.0.2
  • evaluate all patterns before throwing EDUPLICATEWORKSPACE
• 70fcfb46b deps: libnpmfund@3.0.1
• 621cd033f deps: @npmcli/arborist@5.0.2
• 087fdc4cb deps: libnpmpublish@6.0.1
• d24c6d288 deps: libnpmhook@8.0.1
• fa59830fc deps: libnpmsearch@5.0.1
• 6d5f22b86 deps: libnpmexec@4.0.1
• 69ea54350 deps: libnpmaccess@6.0.1
• 4742d7cf3 deps: libnpmteam@4.0.1
• fdd255ae9 deps: libnpmorg@4.0.1
• ed41bc101 deps: libnpmdiff@4.0.1
• 21e241025 deps: libnpmversion@3.0.1
• ec7f36ff9 deps: libnpmpack@4.0.1
• ad4b56414 deps: gauge@4.0.3

v8.5.3

Compare Source

v8.5.3 (2022-03-03)

Bug Fixes

• defe79ad6 #​4480 fix: publish of tarballs includes README in packument (@​fritzy)
• 45fc297f1 #​4479 fix: ignore implict workspace for some commands (@​fritzy)
• a0900bdf1 #​4481 fix(ls): respect --include-workspace-root (@​fritzy)
• 0cfc155db #​4476 fix: set proper workspace repo urls in package.json (@​ljharb)
• 9e43de8a5 #​4493 fix: ignore implicit workspace for whoami (@​nlf)

Dependencies

• d13f067d9 #​4490 deps: @npmcli/run-script@3.0.1 (@​wraithgar)
• ce9a6eac0 #​4490 deps: node-gyp@9.0.0 (@​wraithgar)
• bd660f5f1 #​4490 deps: @npmcli/config@4.0.1
• 3c17b6965 #​4490 deps: make-fetch-happen@10.0.4
• e9b69c4c5 #​4490 deps: npm-registry-fetch@13.0.1
• cf27ca888 #​4490 deps: write-file-atomic@4.0.1
• f3421921a #​4490 deps: gauge@4.0.2
• 1dd2f7ee1 #​4490 deps: socks@2.6.2
• 236e3b403 #​4490 deps: minimatch@3.1.2 (@​wraithgar)
• 10e1326d2 #​4490 deps: lru-cache@7.4.0

v8.5.2

Compare Source

v8.5.2 (2022-02-24)

Bug Fixes

• 9bdd1ace8 #​4300 fix(arborist): use full location as tracker key when inflating (@​lukekarrys) (@​kirtangajjar)
• c9ff797e8 #​4457 fix: remove html comments from man entries (@​wraithgar)
• f4c5f0e52 #​4462 fix(arborist): fix unescaped p

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Vancouver, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 8.x releases. But if you manually upgrade to 8.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.