npm - Debian Package Tracker

general

source: npm (main)
version: 9.2.0~ds2-2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.5.2+ds-2
oldstable: 9.2.0~ds1-1
stable: 9.2.0~ds1-3
testing: 9.2.0~ds2-2
unstable: 9.2.0~ds2-2

versioned links

7.5.2+ds-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

npm (9 bugs: 0, 7, 2, 0)

action needed

A new upstream version is available: 11.8.0 high

A new upstream version 11.8.0 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-02-01 05:01

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-0775: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.

Created: 2026-01-24 Last update: 2026-01-24 07:02

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-0775: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.

Created: 2026-01-24 Last update: 2026-01-24 07:02

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-0775: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.

Created: 2026-01-24 Last update: 2026-01-24 07:02

4 security issues in bullseye high

There are 4 open security issues in bullseye.

1 important issue:

CVE-2026-0775: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.

3 issues postponed or untriaged:

CVE-2021-39134: (needs triaging) `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in `package.json` manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the `node_modules` hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as `file:/some/path`, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package `pwn-a` could define a dependency in their `package.json` file such as `"foo": "file:/some/path"`. Another package, `pwn-b` could define a dependency such as `FOO: "file:foo.tgz"`. On case-insensitive file systems, if `pwn-a` was installed, and then `pwn-b` was installed afterwards, the contents of `foo.tgz` would be written to `/some/path`, and any existing contents of `/some/path` would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above.
CVE-2021-39135: (needs triaging) `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. 1. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) 2. An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.
CVE-2021-43616: (needs triaging) The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

Created: 2026-01-24 Last update: 2026-01-24 07:02

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-0775: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.

Created: 2026-01-24 Last update: 2026-01-24 07:02

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 11.7.0~ds1-1, distribution experimental) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 94e6ed9e5e1b52b8c3b287b7efa5e497b378bda6
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jan 12 00:12:21 2026 +0100

    Target experimental

commit 1cb3297e1e1c5b78cfc35cea2003447af9fcc0a4
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jan 12 00:10:48 2026 +0100

    New release

commit 0867e813914c39eddfc07c41a3c448195bee85fc
Merge: 861b895 ac01146
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jan 12 00:09:42 2026 +0100

    Update upstream source from tag 'upstream/11.7.0_ds1'
    
    Update to upstream version '11.7.0~ds1'
    with Debian dir 03c638612576c9b0fa904a0db6bcc14a4ec2ff7d

commit ac011460cb257f8903e9b180594308aac96d6a94
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jan 12 00:09:13 2026 +0100

    New upstream version 11.7.0~ds1

commit 861b89536e1ba9248e33fc8dc3107a08921afa05
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jan 12 00:01:08 2026 +0100

    Drop cross-spawn

commit 2d874b5f0a32818194fa7f2ecfe27816e7375a7f
Author: Bastien Roucariès <rouca@debian.org>
Date:   Sun Jan 11 23:59:18 2026 +0100

    Drop fs-minipass

commit 3fe27a5b54336e55085bf985e2fb84d2b24d20ee
Author: Bastien Roucariès <rouca@debian.org>
Date:   Sun Jan 11 23:39:35 2026 +0100

    Update rimraf patch

commit ca3b3c98f1699edd057abf1ba0b5b4946cdaadcc
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu Dec 25 16:49:48 2025 +0100

    New upstream version 9.2.0~ds2

commit 90fbce2d80d9190c96785ff742bf89874a0b2340
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu Dec 25 16:35:48 2025 +0100

    New upstream version 9.2.0~ds2

Created: 2023-11-26 Last update: 2026-01-27 21:31

lintian reports 76 warnings normal

Lintian reports 76 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-12-29 Last update: 2025-12-29 07:02

debian/patches: 2 patches to forward upstream low

Among the 11 debian patches available in version 9.2.0~ds2-2 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-12-29 06:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-12-29 00:30

news

[rss feed]

[2026-01-01] npm 9.2.0~ds2-2 MIGRATED to testing (Debian testing watch)
[2025-12-28] Accepted npm 9.2.0~ds2-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-28] npm 9.2.0~ds2-1 MIGRATED to testing (Debian testing watch)
[2025-12-25] Accepted npm 9.2.0~ds2-1 (source) into unstable (Jérémy Lal)
[2025-12-01] npm 9.2.0~ds1-4 MIGRATED to testing (Debian testing watch)
[2025-11-23] Accepted npm 9.2.0~ds1-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-05-29] npm 9.2.0~ds1-3 MIGRATED to testing (Debian testing watch)
[2024-05-29] npm 9.2.0~ds1-3 MIGRATED to testing (Debian testing watch)
[2024-05-27] Accepted npm 9.2.0~ds1-3 (source) into unstable (Jérémy Lal)
[2023-11-25] npm 9.2.0~ds1-2 MIGRATED to testing (Debian testing watch)
[2023-11-23] Accepted npm 9.2.0~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-14] npm 9.2.0~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-12-11] Accepted npm 9.2.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-08] npm 9.1.3~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-12-02] Accepted npm 9.1.3~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-01] npm 9.1.2~ds1-3 MIGRATED to testing (Debian testing watch)
[2022-11-29] Accepted npm 9.1.2~ds1-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-21] npm 9.1.2~ds1-2 MIGRATED to testing (Debian testing watch)
[2022-11-18] Accepted npm 9.1.2~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-18] Accepted npm 9.1.2~ds1-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2022-11-16] Accepted npm 9.1.1~ds1-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2022-09-26] npm 8.19.2~ds1-2 MIGRATED to testing (Debian testing watch)
[2022-09-21] Accepted npm 8.19.2~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-09-21] npm 8.19.2~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-09-21] npm 8.19.2~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-09-21] npm 8.19.2~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-09-17] Accepted npm 8.19.2~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-08-27] npm 8.18.0~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-08-22] Accepted npm 8.18.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-08-18] npm 8.17.0~ds1-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 11
RC: 0
I&N: 9
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 76)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.2.0~ds2-2
29 bugs (1 patch)