js · pnpmCritical
pnpm stage download path traversal vulnerability fixed
Fixed a path traversal vulnerability in `pnpm stage download` where a crafted package manifest could write files outside the intended download directory.
What changed
Fixed a path traversal vulnerability in `pnpm stage download` where a crafted package manifest could write files outside the intended download directory. The fix validates package names and versions, derives a safe filename, and verifies the destination before writing.
Who it affects
Users of pnpm who use `pnpm stage download` command.
What to do today
Update pnpm to a version that includes the fix commit 65443f4bdf1f0db9c8c7dc58fee25252607e9234 or later.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · pnpm