Debian Package Tracker
Register | Log in
Subscribe

npm

package manager for Node.js

Choose email to subscribe with

general
  • source: npm (main)
  • version: 8.16.0~ds1-1
  • maintainer: Debian Javascript Maintainers (archive) (DMD)
  • uploaders: Jérémy Lal [DMD]
  • arch: all
  • std-ver: 4.6.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-bpo: 5.8.0+ds6-2~bpo9+1
  • oldstable: 5.8.0+ds6-4+deb10u2
  • old-bpo: 7.4.0+ds-1~bpo10+2
  • stable: 7.5.2+ds-2
  • stable-bpo: 8.5.5~ds1-1~bpo11+1
  • testing: 8.15.1~ds1-1
  • unstable: 8.16.0~ds1-1
versioned links
  • 5.8.0+ds6-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 5.8.0+ds6-4+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 7.4.0+ds-1~bpo10+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 7.5.2+ds-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.5.5~ds1-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.15.1~ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.16.0~ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • npm (4 bugs: 0, 4, 0, 0)
action needed
lintian reports 15 warnings normal
Lintian reports 15 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2021-10-13 Last update: 2022-07-30 12:15
3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

3 issues left for the package maintainer to handle:
  • CVE-2021-39134: (needs triaging) `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `"foo": "file:/some/path"`. Another package, `pwn-b` could define a dependency such as `FOO: "file:foo.tgz"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.
  • CVE-2021-39135: (needs triaging) `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.
  • CVE-2021-43616: (needs triaging) The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2022-08-08 07:34
testing migrations
  • excuses:
    • Migration status for npm (8.15.1~ds1-1 to 8.16.0~ds1-1): Waiting for test results or another package, or too young (no action required now - check later)
    • Issues preventing migration:
    • ∙ ∙ Too young, only 4 of 5 days old
    • Additional info:
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/npm.html
    • ∙ ∙ autopkgtest for npm/8.16.0~ds1-1: amd64: Pass, arm64: Pass, armel: Not a regression, armhf: Pass, i386: Pass, ppc64el: Pass, s390x: Pass
    • Not considered
news
[rss feed]
  • [2022-08-07] Accepted npm 8.16.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-08-03] npm 8.15.1~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-07-29] Accepted npm 8.15.1~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-07-25] Accepted npm 8.15.0~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-07-25] Accepted npm 8.15.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-07-18] npm 8.14.0~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-07-16] Accepted npm 8.14.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-07-03] npm 8.13.2~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-06-30] Accepted npm 8.13.2~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-06-28] npm 8.13.1~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-06-26] Accepted npm 8.13.1~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-06-19] npm 8.12.2~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-06-16] Accepted npm 8.12.2~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-06-06] npm 8.12.1~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-06-04] Accepted npm 8.12.1~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-06-01] npm 8.11.0~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-05-30] Accepted npm 8.11.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-05-15] npm 8.10.0~ds1-2 MIGRATED to testing (Debian testing watch)
  • [2022-05-12] Accepted npm 8.10.0~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-05-12] Accepted npm 8.10.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-05-10] npm 8.9.0~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-05-08] Accepted npm 8.9.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-05-02] npm 8.8.0~ds1-1 MIGRATED to testing (Debian testing watch)
  • [2022-04-29] Accepted npm 8.8.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-04-27] npm 8.7.0~ds1-2 MIGRATED to testing (Debian testing watch)
  • [2022-04-25] Accepted npm 8.7.0~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-04-24] Accepted npm 8.7.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-04-09] npm 8.6.0~ds2-2 MIGRATED to testing (Debian testing watch)
  • [2022-04-06] Accepted npm 8.6.0~ds2-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-04-06] Accepted npm 8.6.0~ds2-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • 1
  • 2
bugs [bug history graph]
  • all: 4
  • RC: 0
  • I&N: 4
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 15)
  • buildd: logs, clang, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 8.16.0~ds1-1
  • 26 bugs (1 patch)

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing