IA Squad
SearchPT

pnpm

js · pnpmHeads-up

pnpm: Missing hash verification for GitHub git dependencies

pnpm does not verify the hash of dependencies fetched from codeload.

27 Jun 2026 · schedule it
js · pnpmHeads-up

pnpm Tarball Extraction Skips Integrity Check When Integrity Field Missing

pnpm's tarball extraction worker does not verify integrity when the `integrity` field is absent from the lockfile resolution.

27 Jun 2026 · schedule it
js · pnpmHeads-up

pnpm Git Dependency Handling Allows Arbitrary Code Execution via Malicious Lockfile

A security vulnerability in pnpm's git dependency handling: the lockfile-controlled `resolution.

27 Jun 2026 · schedule it
js · pnpmHeads-up

pnpm leaks unscoped npm auth tokens to attacker-controlled registries via .npmrc

pnpm binds user-level unscoped npm authentication credentials (e.

27 Jun 2026 · schedule it
js · pnpmHeads-up

pnpm and pacquet stop expanding env var placeholders in project config files

pnpm and pacquet no longer expand environment variable placeholders from project .

27 Jun 2026 · schedule it
js · pnpmHeads-up

pnpm: Path traversal via malicious bin names in global installs

Manifest bin object keys such as empty string, ".

27 Jun 2026 · schedule it
js · pnpmCritical

pnpm: Path traversal via transitive dependency alias allows symlink replacement

pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments, which during install

27 Jun 2026 · act now
js · pnpmCritical

pnpm patch-package arbitrary file write/delete via path traversal

pnpm's patch application pipeline (`@pnpm/patch-package`) performs no path validation on file paths extracted from `.

27 Jun 2026 · act now
js · pnpmCritical

pnpm: Build approval now requires exact locator matching for opaque dependencies

Build approval for opaque dependency sources (git, URL, tarball, file, directory) now requires byte-exact matching of the resolved

27 Jun 2026 · act now
js · pnpmCritical

pnpm configDependencies Remote Code Execution (CVE-2025-27815)

configDependencies feature allowed repositories to declare pacquet or @pnpm/pacquet as config dependencies, which pnpm resolved an

27 Jun 2026 · act now
js · pnpmCritical

pnpm: malicious lockfile bypass via auto-switching

pnpm's automatic package-manager version switching now re-resolves repository-provided env-lockfile metadata before install and ex

27 Jun 2026 · act now
js · pnpmCritical

pnpm stage download path traversal vulnerability fixed

Fixed a path traversal vulnerability in `pnpm stage download` where a crafted package manifest could write files outside the inten

27 Jun 2026 · act now
js · pnpmCritical

pnpm: lockfile alias path traversal and overwrite vulnerability

A crafted lockfile alias could be joined directly under a hoisted node_modules directory, allowing traversal aliases to escape tha

27 Jun 2026 · act now
js · pnpmCritical

pnpm patch-remove Path Traversal Vulnerability Fixed

pnpm patch-remove now validates that patch entries resolve within the configured patches directory before deletion, rejecting trav

27 Jun 2026 · act now
js · pnpmCritical

pnpm configDependency path traversal in lockfile allows arbitrary symlink

pnpm accepts configDependency names from the lockfile that contain path traversal sequences (e.

27 Jun 2026 · act now