`npm pack` Workspace Issue

# `npm pack` Workspace Issue ## Timeline #### Wednesday May 18th - **2:56pm ET** - @bnb privately reached out noting they were alerted by a third-party tool about exposed tokens in a published package (aka. [Trufflehog](https://trufflesecurity.com/trufflehog) & `@retrogen/core ` respectively) - explained that they believe this was a problem with `npm publish` not respecting root-level `.gitignore`'d files when running the command in a workspace - **3:30pm ET** - confirmed the issue after testing & alerted core team & product internally ~ @darcyalrke - **4:00pm ET** - investigation began to fix the problem ~ @nlf - scope of the issue was determined - `.gitignore` & `.npmignore` files that live in the root of a project have **never been respected** by `npm pack` or `npm publish` when run in workspaces (ex. `npm pack -w=foo`) - anyone who has run `npm pack` or `npm publish` inside a workspace, expecting their project's root-level `.gitignore` or `.npmignore` to apply, would have been affected since **April 8th, 2021** for `npm pack` ([`v7.9.0`](https://github.com/npm/cli/releases/tag/v7.9.0)) & **May 13th, 2021** for `npm publish` ([`v7.13.0`](https://github.com/npm/cli/releases/tag/v7.13.0)) - `.gitignore` & `.npmignore` files that lived/live inside a workspace directory **are respected** #### Thursday May 19th - **1:00pm ET** - work on unblocking `npm-packlist` fix continues w/ estimated time to cutting a patch release within the next 24hrs ~ @nlf / @lukekarrys - delayed yesterday's release of `npm` until this is resolved - working with internal Security/Advisory team's to determine whether to issue a CVE ~ @darcyclarke - working with Node.js Releasers Team in back-channels to determine if Node.js would require cutting a security release based on the currently known impact ~ @ruyadorno ## Remediation - [ ] Upgrade to the latest, patched version of `npm` (`v8.x` **TBD**): `npm i -g npm@latest` - [ ] Check to see if you're affected by this by running `npm publish --dry-run` or `npm pack` inside the specific workspace &/or using a workspace flag (ex. `--workspaces` or `--workspace=<name>`) & checking the results of the files included in the tarball against your project's root-level `.gitignore` & `.npmignore` - if you find that there are files included you did not expect, you should create & publish a new release excluding those files & deprecate the old package (ex. `npm deprecate <pkg>[@<version>] <message>`)