[BUG] Security bug : _where

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The packages downloaded in the node_modules folder and the "package.json" file of the relevant packages contain details to reveal the full path of the server.

For example, when I downloaded the axios package, the full path to my server was leaked in the "chunk" files created after I included it in my project with webpack and got the build

Google dork: "axios _where"
Google dork: "[ANY-PACKAGENAME] _where"

node_modules/axios/package.json

 "_where": "/home/User/Workdir",
  "author": {
    "name": "Matt Zabriskie"
  },

axios/axios#4090
In this example I went via axios but this applies to all packages. I hope you fix this in the next version of NPM

Expected Behavior

No response

Steps To Reproduce

1. In this environment...
2. With this config...
3. Run '...'
4. See error...

Environment

• OS:
• Node:
• npm:

Any progress on this issue?

[flying-sheep]

Previous issue: npm/npm#12110

In it, @juanjoDiaz mentions a workaround: https://www.npmjs.com/package/removeNPMAbsolutePaths

[flying-sheep]

Hi @lukekarrys why did you close this?

[lukekarrys]

Sorry I forgot to comment. Security issues should be handled through our security disclosure policy: https://github.com/npm/cli/security/policy

[flying-sheep]

This is a well known feature. Apart from this issue, it also causes problems for reproducible builds.

Where do I subscribe to if I want to get notified when npm grows a way to turn this off?

[lukekarrys]

Can you open a new issue with your steps to reproduce? I'm not able to on the latest npm@8.6.0 (but I can on npm@6.14.16).

❯ npm --version
8.6.0

❯ npm i

added 2 packages, and audited 3 packages in 371ms

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

❯ grep -r "lukekarrys"

❯ npm --version
6.14.16

❯ npm i
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN 3828@1.0.0 No description
npm WARN 3828@1.0.0 No repository field.

added 2 packages from 4 contributors and audited 2 packages in 0.45s

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

❯ grep -r "lukekarrys"
./node_modules/follow-redirects/package.json:  "_where": "/Users/lukekarrys/Documents/npm-sandbox/3828/node_modules/axios",
./node_modules/axios/package.json:  "_where": "/Users/lukekarrys/Documents/npm-sandbox/3828",