npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

How npm is affected by the recently disclosed git vulnerability

npm cli users should make sure that they have git version 2.17.1 or later installed to protect against a recent code execution vulnerability involving git submodules.

On May 29th, a new version of git (2.17.1) was published which addressed a flaw in how git submodules are handled. The flaw allowed for code execution on a user’s system when a recursive git clone of a specially created repository was performed.

The npm cli supports git dependencies; to enable this it delegates the act of cloning these dependencies to the git command. Because of this delegation, if the system has a vulnerable version of git installed the npm cli, it could be tricked into installing a git dependency of a malicious repo that could execute code on the user’s system.

To check what version of git you have installed you can run git --version

$ git --version
git version 2.17.1

Updating git is a different process for different systems. Users should use whatever method they initially installed git with in order to update it.

Windows users can read more here: Announcing the May 2018 Git Security Vulnerability