js · pnpmCritical
pnpm patch-remove Path Traversal Vulnerability Fixed
pnpm patch-remove now validates that patch entries resolve within the configured patches directory before deletion, rejecting traversal and absolute paths that
What changed
pnpm patch-remove now validates that patch entries resolve within the configured patches directory before deletion, rejecting traversal and absolute paths that escape, canonicalizing parent directories, and unlinking final symlinks without following their targets.
Who it affects
All users of pnpm who use `pnpm patch-remove` with crafted patch entries that could delete arbitrary files outside the patches directory.
What to do today
Update pnpm to version 10.34.4 or 11.7.0 immediately to fix the security vulnerability.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · pnpm