npm pack
ignores root-level .gitignore
& .npmignore
file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces
, --workspace=<name>
). Anyone who has run npm pack
or npm publish
with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
npm
(v8.11.0
or greater), run: npm i -g npm@latest
v16.15.1
, v17.19.1
& v18.3.0
include the patched v8.11.0
version of npm
npm publish --dry-run
or npm pack
with an npm
version >=7.9.0
& <8.11.0
inside the project's root directory using a workspace flag like: --workspaces
or --workspace=<name>
(ex. npm pack --workspace=foo
)tar -tvf <package-on-disk>
also works)npm deprecate <pkg>[@<version>] <message>
)
3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed