chore(deps): update dependency npm to 8.11.0 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change
npm	7.21.0 -> 8.11.0

GitHub Vulnerability Alerts

CVE-2022-29244

Impact

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.

Patch

• Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
• Node.js versions v16.15.1, v17.19.1 & v18.3.0 include the patched v8.11.0 version of npm

Steps to take to see if you're impacted

1. Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
2. Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
3. If you find that there are files included you did not expect, you should:
   3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
   3.2. Deprecate the old package (ex. npm deprecate <pkg>[@&#8203;<version>] <message>)
   3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed

References

• CVE-2022-29244
• npm-packlist
• libnpmpack
• libnpmpublish

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[commit-lint]

Chore

• deps: update dependency npm to 8.11.0 [security] (99c18dc)

Contributors

renovate[bot]

Commit-Lint commands

You can trigger Commit-Lint actions by commenting on this PR:

• @Commit-Lint merge patch will merge dependabot PR on "patch" versions (X.X.Y - Y change)
• @Commit-Lint merge minor will merge dependabot PR on "minor" versions (X.Y.Y - Y change)
• @Commit-Lint merge major will merge dependabot PR on "major" versions (Y.Y.Y - Y change)
• @Commit-Lint merge disable will desactivate merge dependabot PR
• @Commit-Lint review will approve dependabot PR
• @Commit-Lint stop review will stop approve dependabot PR