js · pnpmCritical
pnpm patch-package arbitrary file write/delete via path traversal
pnpm's patch application pipeline (`@pnpm/patch-package`) performs no path validation on file paths extracted from `.
What changed
pnpm's patch application pipeline (`@pnpm/patch-package`) performs no path validation on file paths extracted from `.patch` files, allowing arbitrary file write and delete via path traversal in `diff --git` headers.
Who it affects
Users running `pnpm install` with `patchedDependencies` entries in `pnpm-workspace.yaml` that reference malicious `.patch` files.
What to do today
Review all `.patch` files in your repository for path traversal attempts and ensure no untrusted patches are applied. Consider pinning pnpm to a version with a fix once available.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · pnpm