Skip to content
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.

v2.14.1
Compare
Choose a tag to compare
@othiym23 othiym23 released this 21 Aug 00:33
· 2594 commits to latest since this release
v2.14.1
e83b6da

SECURITY FIX

There are patches for two information leaks of moderate severity in npm@2.14.1:

  1. In some cases, npm was leaking sensitive credential information into the child environment when running package and lifecycle scripts. This could lead to packages being published with files (most notably config.gypi, a file created by node-gyp that is a cache of environmental information regenerated on every run) containing the bearer tokens used to authenticate users to the registry. Users with affected packages have been notified (and the affected tokens invalidated), and now npm has been modified to not upload files that could contain this information, as well as scrubbing the sensitive information out of the environment passed to child scripts.
  2. Per-package .npmrc files are used by some maintainers as a way to scope those packages to a specific registry and its credentials. This is a reasonable use case, but by default .npmrc was packed into packages, leaking those credentials. npm will no longer include .npmrc when packing tarballs.

If you maintain packages and believe you may be affected by either of the above scenarios (especially if you've received a security notification from npm recently), please upgrade to npm@2.14.1 as soon as possible. If you believe you may have inadvertently leaked your credentials, upgrade to npm@2.14.1 on the affected machine, and run npm logout and then npm login. Your access tokens will be invalidated, which will eliminate any risk posed by tokens inadvertently included in published packages. We apologize for the inconvenience this causes, as well as the oversight that led to the existence of this issue in the first place.

Huge thanks to @ChALkeR for bringing these issues to our attention, and for helping us identify affected packages and maintainers. Thanks also to the Node.js security working group for their coördination with the team in our response to this issue. We appreciate everybody's patience and understanding tremendously.

  • b9474a8 fstream-npm@1.0.5: Stop publishing build cruft (config.gypi) and per-project .npmrc files to keep local configuration out of published packages. (@othiym23)
  • 13c286d #9348 Filter "private" (underscore-prefixed, even when scoped to a registry) configuration values out of child environments. (@othiym23)

BETTER WINDOWS INTEGRATION, ONE STEP AT A TIME

  • e40e71f #6412 Improve the search strategy used by the npm shims for Windows to prioritize your own local npm installs. npm has really needed this tweak for a long time, so hammer on it and let us know if you run into issues, but with luck it will Just Work. (@joaocgreis)
  • 204ebbb #8751 #7333 Keep autorun scripts from interfering with npm package and lifecycle script execution on Windows by adding /d and /s when invoking cmd.exe. (@saper)

IT SEEMED LIKE AN IDEA AT THE TIME

  • 286f3d9 #9201 For a while npm was building HTML partials for use on docs.npmjs.com, but we weren't actually using them. Stop building them, which makes running the full test suite and installation process around a third faster. (@isaacs)

A SINGLE LONELY DEPENDENCY UPGRADE

  • b343b95 request@2.61.0: Bug fixes and keep-alive tweaks. (@simov)
Assets 2
Loading