Moderate severityOSV Advisory· Published Jan 26, 2026· Updated Jan 27, 2026
pnpm has Path Traversal via arbitrary file permission modification
CVE-2026-24131
Description
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's directories.bin field, it uses path.join() without validating the result stays within the package root. A malicious npm package can specify "directories": {"bin": "../../../../tmp"} to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (fixBin gated by EXECUTABLE_SHEBANG_SUPPORTED). Version 10.28.2 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pnpmnpm | < 10.28.2 | 10.28.2 |
Affected products
1Patches
117432ad5bbedfix: prevent path traversal in `directories.bin` (#10495)
6 files changed · +107 −89
.changeset/fix-directories-bin-path-traversal.md+6 −0 added@@ -0,0 +1,6 @@ +--- +"@pnpm/package-bins": patch +"pnpm": patch +--- + +Security fix: prevent path traversal in `directories.bin` field.
pkg-manager/package-bins/package.json+2 −1 modified@@ -39,7 +39,8 @@ }, "devDependencies": { "@pnpm/package-bins": "workspace:*", - "@types/node": "catalog:" + "@types/node": "catalog:", + "tempy": "catalog:" }, "engines": { "node": ">=18.12"
pkg-manager/package-bins/src/index.ts+4 −0 modified@@ -14,6 +14,10 @@ export async function getBinsFromPackageManifest (manifest: DependencyManifest, } if (manifest.directories?.bin) { const binDir = path.join(pkgPath, manifest.directories.bin) + // Validate: directories.bin must be within the package root + if (!isSubdir(pkgPath, binDir)) { + return [] + } const files = await findFiles(binDir) return files.map((file) => ({ name: path.basename(file),
pkg-manager/package-bins/test/index.ts+22 −0 modified@@ -144,3 +144,25 @@ test('skip scoped bin names with path traversal', async () => { }, ]) }) + +test('skip directories.bin with path traversal', async () => { + // Security test: malicious packages can try to escape the package root + // using directories.bin to chmod files at arbitrary locations + expect( + await getBinsFromPackageManifest({ + name: 'malicious', + version: '1.0.0', + directories: { + bin: '../../../../tmp/target', + }, + }, process.cwd())).toStrictEqual([]) + + expect( + await getBinsFromPackageManifest({ + name: 'malicious', + version: '1.0.0', + directories: { + bin: '../../../etc', + }, + }, process.cwd())).toStrictEqual([]) +})
pkg-manager/package-bins/test/path-traversal.test.ts+32 −0 added@@ -0,0 +1,32 @@ + +import fs from 'fs' +import path from 'path' +import { getBinsFromPackageManifest } from '@pnpm/package-bins' +import { temporaryDirectory } from 'tempy' + +test('skip directories.bin with real path traversal', async () => { + // Create a secret file outside the package directory + const tempDir = temporaryDirectory() + const secretDir = path.join(tempDir, 'secret') + fs.mkdirSync(secretDir) + fs.writeFileSync(path.join(secretDir, 'secret.sh'), 'echo secret') + + // Create a package directory + const pkgDir = path.join(tempDir, 'pkg') + fs.mkdirSync(pkgDir) + + // Calculate relative path from pkgDir to secretDir + const relativePath = path.relative(pkgDir, secretDir) + + // Attempt path traversal + const bins = await getBinsFromPackageManifest({ + name: 'malicious', + version: '1.0.0', + directories: { + bin: relativePath, + }, + }, pkgDir) + + // Should be empty because it escaped pkgDir + expect(bins).toStrictEqual([]) +})
pnpm-lock.yaml+41 −88 modified@@ -5616,6 +5616,9 @@ importers: '@types/node': specifier: 'catalog:' version: 18.19.110 + tempy: + specifier: 'catalog:' + version: 1.0.1 pkg-manager/package-requester: dependencies: @@ -9966,10 +9969,6 @@ packages: resolution: {integrity: sha512-61tmh+k7hnKK6b2XbF4GvxmiaF3l2a+xQlZyeoOGBs7mXU3Ie8iCAeAnM0+r70KiqTrgWvBCjMeM+W3JarJqaQ==} engines: {node: '>=12.17'} - '@pnpm/cafs-types@1000.0.0': - resolution: {integrity: sha512-BN7y+f4JHsixxq5uX1HYb791/CRJrIkGnH4EKN/vTgLWG7QyBzplyE8+gh1SfPGrcdefU10G+B1zMOkOiN/iwA==} - engines: {node: '>=18.12'} - '@pnpm/cafs-types@1000.1.0': resolution: {integrity: sha512-uUAnheFdWz+rwgDSr0MO8LH0M27j/ocj+KVXlGmmaAHyMKqIMRnuQZdAciAW7/Cb29WOfmPFm+U/aRtBjysE9g==} engines: {node: '>=18.12'} @@ -10032,10 +10031,6 @@ packages: resolution: {integrity: sha512-xb9dfSGi1qfUKY3r4Zy9JdC9+ZeaDxwfE7HrrGIEsBVY1hvIn6ntbR7A97z3nk44yX7vwbINNf9sizTp0WEtEw==} engines: {node: '>=18.12'} - '@pnpm/constants@1001.3.0': - resolution: {integrity: sha512-ZFRekNHbDlu//67Byg+mG8zmtmCsfBhNsg1wKBLRtF7VjH+Q5TDGMX0+8aJYSikQDuzM2FOhvQcDwyjILKshJQ==} - engines: {node: '>=18.12'} - '@pnpm/constants@1001.3.1': resolution: {integrity: sha512-2hf0s4pVrVEH8RvdJJ7YRKjQdiG8m0iAT26TTqXnCbK30kKwJW69VLmP5tED5zstmDRXcOeH5eRcrpkdwczQ9g==} engines: {node: '>=18.12'} @@ -10108,10 +10103,6 @@ packages: resolution: {integrity: sha512-2SfE4FFL73rE1WVIoESbqlj4sLy5nWW4M/RVdHvCRJPjlQHa9MH7m7CVJM204lz6I+eHoB+E7rL3zmpJR5wYnQ==} engines: {node: '>=18.12'} - '@pnpm/error@1000.0.4': - resolution: {integrity: sha512-22mG/Mq4u2r7gr2+XY5j4GlN7J4Mg4WiCfT9flvsUc1uZecShocv6WkyoA20qs14M64f6I+aaWB6b6xsDiITlg==} - engines: {node: '>=18.12'} - '@pnpm/error@1000.0.5': resolution: {integrity: sha512-GjH0TPjbVNrPnl/BAGoFuBLJ2sFfXNKbS33lll/Ehe9yw0fyc8Kdw7kO9if37yQqn6vaa4dAHKkPllum7f/IPQ==} engines: {node: '>=18.12'} @@ -10154,12 +10145,6 @@ packages: resolution: {integrity: sha512-vI3+bu6CrI/42hDUjtsKtSGaHlp8XHdmywtrc3HQYQrihzoaswjQW3dXAfG9x4bZy6vuGwmzXkberI1Z81QYUQ==} engines: {node: '>=18.12'} - '@pnpm/fs.hard-link-dir@1000.0.1': - resolution: {integrity: sha512-P+nAsqQR5ksBwXSVBpeAJLNP8BvD3pRbeAbMvwZ0stuw+t1krkFkbEHkEtBBvX9vFeO2bxi8JXo3SnD/fD3KfA==} - engines: {node: '>=18.12'} - peerDependencies: - '@pnpm/logger': '>=1001.0.0 <1002.0.0' - '@pnpm/fs.hard-link-dir@1000.0.5': resolution: {integrity: sha512-MtEzlHc2tRvom2/fXFpjpLj3XMN2AzgIm+udEpkxm2VWaRKiY+7br5xBO8NT2h2fADg2chBSgE3W96VaDgLUag==} engines: {node: '>=18.12'} @@ -10478,12 +10463,6 @@ packages: peerDependencies: '@pnpm/logger': '>=1001.0.0 <1002.0.0' - '@pnpm/symlink-dependency@1000.0.9': - resolution: {integrity: sha512-yI4nFQuI6lBzP/hUJ6L0te1TT+LVwr8LzA4E5acyrjQy/LOoRlIMykVP1nPagS/h4E2lDXo1LlARvSt1Ibe1LA==} - engines: {node: '>=18.12'} - peerDependencies: - '@pnpm/logger': '>=1001.0.0 <1002.0.0' - '@pnpm/tabtab@0.5.4': resolution: {integrity: sha512-bWLDlHsBlgKY/05wDN/V3ETcn5G2SV/SiA2ZmNvKGGlmVX4G5li7GRDhHcgYvHJHyJ8TUStqg2xtHmCs0UbAbg==} engines: {node: '>=18'} @@ -10523,12 +10502,6 @@ packages: engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0} hasBin: true - '@pnpm/worker@1000.1.7': - resolution: {integrity: sha512-iOIP1MeJbyf2X3kJ2p3qfqIcUGc0uvfyGPR9dTCQooLNgKSQCCHC+4UhS2Xfrq/SQEhD2bzIHJRTieshm2Qfzw==} - engines: {node: '>=18.12'} - peerDependencies: - '@pnpm/logger': '>=1001.0.0 <1002.0.0' - '@pnpm/worker@1000.6.2': resolution: {integrity: sha512-iJwL66CHRh3d5N4gwuLqkGeCtz4K0t4JxS8BBGVZLUbrHOEM/j0+KGhG3IgQrYcaxoM+YuFfhA86QLEEYsNsXA==} engines: {node: '>=18.12'} @@ -17159,8 +17132,6 @@ snapshots: '@pnpm/byline@1.0.0': {} - '@pnpm/cafs-types@1000.0.0': {} - '@pnpm/cafs-types@1000.1.0': {} '@pnpm/catalogs.config@1000.0.2': @@ -17174,19 +17145,19 @@ snapshots: '@pnpm/types': 1000.6.0 load-json-file: 6.2.0 - '@pnpm/cli-utils@1000.1.5(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': + '@pnpm/cli-utils@1000.1.5(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': dependencies: '@pnpm/cli-meta': 1000.0.8 '@pnpm/config': 1003.1.1(@pnpm/logger@1001.0.0) - '@pnpm/config.deps-installer': 1000.0.5(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110)) + '@pnpm/config.deps-installer': 1000.0.5(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110)) '@pnpm/default-reporter': 1002.0.1(@pnpm/logger@1001.0.0) '@pnpm/error': 1000.0.2 '@pnpm/logger': 1001.0.0 '@pnpm/manifest-utils': 1001.0.1(@pnpm/logger@1001.0.0) '@pnpm/package-is-installable': 1000.0.10(@pnpm/logger@1001.0.0) '@pnpm/pnpmfile': 1001.2.2(@pnpm/logger@1001.0.0) '@pnpm/read-project-manifest': 1000.0.11 - '@pnpm/store-connection-manager': 1002.0.3(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) + '@pnpm/store-connection-manager': 1002.0.3(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) '@pnpm/types': 1000.6.0 chalk: 4.1.2 load-json-file: 6.2.0 @@ -17218,16 +17189,16 @@ snapshots: - supports-color - typanion - '@pnpm/client@1000.0.19(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': + '@pnpm/client@1000.0.19(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': dependencies: '@pnpm/default-resolver': 1002.0.2(@pnpm/logger@1001.0.0) '@pnpm/directory-fetcher': 1000.1.7(@pnpm/logger@1001.0.0) '@pnpm/fetch': 1000.2.2(@pnpm/logger@1001.0.0) '@pnpm/fetching-types': 1000.1.0 - '@pnpm/git-fetcher': 1001.0.8(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) + '@pnpm/git-fetcher': 1001.0.8(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) '@pnpm/network.auth-header': 1000.0.3 '@pnpm/resolver-base': 1003.0.1 - '@pnpm/tarball-fetcher': 1001.0.8(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) + '@pnpm/tarball-fetcher': 1001.0.8(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) '@pnpm/types': 1000.6.0 ramda: '@pnpm/ramda@0.28.1' transitivePeerDependencies: @@ -17267,7 +17238,7 @@ snapshots: '@pnpm/workspace.manifest-writer': 1000.1.4 ramda: '@pnpm/ramda@0.28.1' - '@pnpm/config.deps-installer@1000.0.5(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))': + '@pnpm/config.deps-installer@1000.0.5(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))': dependencies: '@pnpm/config.config-writer': 1000.0.5 '@pnpm/core-loggers': 1001.0.1(@pnpm/logger@1001.0.0) @@ -17276,7 +17247,7 @@ snapshots: '@pnpm/logger': 1001.0.0 '@pnpm/network.auth-header': 1000.0.3 '@pnpm/npm-resolver': 1004.0.1(@pnpm/logger@1001.0.0) - '@pnpm/package-store': 1002.0.4(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110)) + '@pnpm/package-store': 1002.0.4(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110)) '@pnpm/parse-wanted-dependency': 1001.0.0 '@pnpm/pick-registry-for-package': 1000.0.8 '@pnpm/read-modules-dir': 1000.0.0 @@ -17349,8 +17320,6 @@ snapshots: '@pnpm/constants@1001.1.0': {} - '@pnpm/constants@1001.3.0': {} - '@pnpm/constants@1001.3.1': {} '@pnpm/core-loggers@1001.0.1(@pnpm/logger@1001.0.0)': @@ -17468,10 +17437,6 @@ snapshots: dependencies: '@pnpm/constants': 1001.1.0 - '@pnpm/error@1000.0.4': - dependencies: - '@pnpm/constants': 1001.3.0 - '@pnpm/error@1000.0.5': dependencies: '@pnpm/constants': 1001.3.1 @@ -17535,10 +17500,6 @@ snapshots: p-filter: 2.1.0 tinyglobby: 0.2.15 - '@pnpm/fs.hard-link-dir@1000.0.1(@pnpm/logger@1001.0.0)': - dependencies: - '@pnpm/logger': 1001.0.0 - '@pnpm/fs.hard-link-dir@1000.0.5(@pnpm/logger@1001.0.0)': dependencies: '@pnpm/graceful-fs': 1000.0.1 @@ -17584,13 +17545,13 @@ snapshots: dependencies: npm-packlist: 5.1.3 - '@pnpm/git-fetcher@1001.0.8(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': + '@pnpm/git-fetcher@1001.0.8(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': dependencies: '@pnpm/fetcher-base': 1000.0.11 '@pnpm/fs.packlist': 2.0.0 '@pnpm/logger': 1001.0.0 '@pnpm/prepare-package': 1000.0.16(@pnpm/logger@1001.0.0)(typanion@3.14.0) - '@pnpm/worker': 1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110) + '@pnpm/worker': 1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110) '@zkochan/rimraf': 3.0.2 execa: safe-execa@0.1.2 transitivePeerDependencies: @@ -17724,8 +17685,8 @@ snapshots: '@pnpm/find-workspace-dir': 1000.1.0 '@pnpm/logger': 1001.0.0 '@pnpm/types': 1000.6.0 - '@pnpm/worker': 1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110) - '@pnpm/workspace.find-packages': 1000.0.25(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) + '@pnpm/worker': 1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110) + '@pnpm/workspace.find-packages': 1000.0.25(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) '@pnpm/workspace.read-manifest': 1000.1.5 load-json-file: 7.0.1 meow: 11.0.0 @@ -17761,7 +17722,7 @@ snapshots: '@pnpm/network.proxy-agent@2.0.3': dependencies: - '@pnpm/error': 1000.0.4 + '@pnpm/error': 1000.0.5 http-proxy-agent: 7.0.2 https-proxy-agent: 7.0.6 lru-cache: 7.18.3 @@ -17795,7 +17756,7 @@ snapshots: '@pnpm/npm-lifecycle@1000.0.4(typanion@3.14.0)': dependencies: '@pnpm/byline': 1.0.0 - '@pnpm/error': 1000.0.4 + '@pnpm/error': 1000.0.5 '@yarnpkg/fslib': 3.1.2 '@yarnpkg/shell': 4.0.0(typanion@3.14.0) node-gyp: 11.4.2 @@ -17811,7 +17772,7 @@ snapshots: '@pnpm/npm-lifecycle@1001.0.0(typanion@3.14.0)': dependencies: '@pnpm/byline': 1.0.0 - '@pnpm/error': 1000.0.4 + '@pnpm/error': 1000.0.5 '@yarnpkg/fslib': 3.1.2 '@yarnpkg/shell': 4.0.0(typanion@3.14.0) node-gyp: 11.4.2 @@ -17870,11 +17831,11 @@ snapshots: '@pnpm/os.env.path-extender-posix@2.1.0': dependencies: - '@pnpm/error': 1000.0.4 + '@pnpm/error': 1000.0.5 '@pnpm/os.env.path-extender-windows@2.0.3': dependencies: - '@pnpm/error': 1000.0.4 + '@pnpm/error': 1000.0.5 safe-execa: 0.1.4 string.prototype.matchall: 4.0.12 @@ -17902,7 +17863,7 @@ snapshots: mem: 8.1.1 semver: 7.7.2 - '@pnpm/package-requester@1004.0.2(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))': + '@pnpm/package-requester@1004.0.2(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))': dependencies: '@pnpm/core-loggers': 1001.0.1(@pnpm/logger@1001.0.0) '@pnpm/dependency-path': 1000.0.9 @@ -17917,7 +17878,7 @@ snapshots: '@pnpm/store-controller-types': 1003.0.2 '@pnpm/store.cafs': 1000.0.13 '@pnpm/types': 1000.6.0 - '@pnpm/worker': 1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110) + '@pnpm/worker': 1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110) p-defer: 3.0.0 p-limit: 3.1.0 p-queue: 6.6.2 @@ -17950,17 +17911,17 @@ snapshots: semver: 7.7.2 ssri: 10.0.5 - '@pnpm/package-store@1002.0.4(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))': + '@pnpm/package-store@1002.0.4(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))': dependencies: '@pnpm/create-cafs-store': 1000.0.14(@pnpm/logger@1001.0.0) '@pnpm/fetcher-base': 1000.0.11 '@pnpm/logger': 1001.0.0 - '@pnpm/package-requester': 1004.0.2(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110)) + '@pnpm/package-requester': 1004.0.2(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110)) '@pnpm/resolver-base': 1003.0.1 '@pnpm/store-controller-types': 1003.0.2 '@pnpm/store.cafs': 1000.0.13 '@pnpm/types': 1000.6.0 - '@pnpm/worker': 1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110) + '@pnpm/worker': 1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110) '@zkochan/rimraf': 3.0.2 load-json-file: 6.2.0 ramda: '@pnpm/ramda@0.28.1' @@ -18123,14 +18084,14 @@ snapshots: dependencies: grapheme-splitter: 1.0.4 - '@pnpm/store-connection-manager@1002.0.3(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': + '@pnpm/store-connection-manager@1002.0.3(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': dependencies: '@pnpm/cli-meta': 1000.0.8 - '@pnpm/client': 1000.0.19(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) + '@pnpm/client': 1000.0.19(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) '@pnpm/config': 1003.1.1(@pnpm/logger@1001.0.0) '@pnpm/error': 1000.0.2 '@pnpm/logger': 1001.0.0 - '@pnpm/package-store': 1002.0.4(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110)) + '@pnpm/package-store': 1002.0.4(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110)) '@pnpm/server': 1001.0.4(@pnpm/logger@1001.0.0) '@pnpm/store-path': 1000.0.2 '@zkochan/diable': 1.0.2 @@ -18215,13 +18176,6 @@ snapshots: '@pnpm/types': 1001.3.0 symlink-dir: 6.0.5 - '@pnpm/symlink-dependency@1000.0.9(@pnpm/logger@1001.0.0)': - dependencies: - '@pnpm/core-loggers': 1001.0.1(@pnpm/logger@1001.0.0) - '@pnpm/logger': 1001.0.0 - '@pnpm/types': 1000.6.0 - symlink-dir: 6.0.5 - '@pnpm/tabtab@0.5.4': dependencies: debug: 4.4.3 @@ -18231,7 +18185,7 @@ snapshots: transitivePeerDependencies: - supports-color - '@pnpm/tarball-fetcher@1001.0.8(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': + '@pnpm/tarball-fetcher@1001.0.8(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': dependencies: '@pnpm/core-loggers': 1001.0.1(@pnpm/logger@1001.0.0) '@pnpm/error': 1000.0.2 @@ -18241,7 +18195,7 @@ snapshots: '@pnpm/graceful-fs': 1000.0.0 '@pnpm/logger': 1001.0.0 '@pnpm/prepare-package': 1000.0.16(@pnpm/logger@1001.0.0)(typanion@3.14.0) - '@pnpm/worker': 1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110) + '@pnpm/worker': 1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110) '@zkochan/retry': 0.2.0 lodash.throttle: 4.1.1 p-map-values: 1.0.0 @@ -18298,23 +18252,22 @@ snapshots: dependencies: isexe: 2.0.0 - '@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110)': + '@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110)': dependencies: - '@pnpm/cafs-types': 1000.0.0 - '@pnpm/create-cafs-store': 1000.0.14(@pnpm/logger@1001.0.0) + '@pnpm/cafs-types': 1000.1.0 + '@pnpm/create-cafs-store': 1000.0.29(@pnpm/logger@1001.0.0) '@pnpm/crypto.polyfill': 1000.1.0 - '@pnpm/error': 1000.0.2 - '@pnpm/exec.pkg-requires-build': 1000.0.8 - '@pnpm/fs.hard-link-dir': 1000.0.1(@pnpm/logger@1001.0.0) - '@pnpm/graceful-fs': 1000.0.0 + '@pnpm/error': 1000.0.5 + '@pnpm/exec.pkg-requires-build': 1000.0.16 + '@pnpm/fs.hard-link-dir': 1000.0.5(@pnpm/logger@1001.0.0) + '@pnpm/graceful-fs': 1000.0.1 '@pnpm/logger': 1001.0.0 - '@pnpm/store.cafs': 1000.0.13 - '@pnpm/symlink-dependency': 1000.0.9(@pnpm/logger@1001.0.0) + '@pnpm/store.cafs': 1000.1.2 + '@pnpm/symlink-dependency': 1000.0.17(@pnpm/logger@1001.0.0) '@rushstack/worker-pool': 0.4.9(@types/node@18.19.110) is-windows: 1.0.2 load-json-file: 6.2.0 p-limit: 3.1.0 - shell-quote: 1.8.3 transitivePeerDependencies: - '@types/node' @@ -18337,9 +18290,9 @@ snapshots: transitivePeerDependencies: - '@types/node' - '@pnpm/workspace.find-packages@1000.0.25(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': + '@pnpm/workspace.find-packages@1000.0.25(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0)': dependencies: - '@pnpm/cli-utils': 1000.1.5(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.1.7(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) + '@pnpm/cli-utils': 1000.1.5(@pnpm/logger@1001.0.0)(@pnpm/worker@1000.6.2(@pnpm/logger@1001.0.0)(@types/node@18.19.110))(typanion@3.14.0) '@pnpm/constants': 1001.1.0 '@pnpm/fs.find-packages': 1000.0.11 '@pnpm/logger': 1001.0.0
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-v253-rj99-jwpqghsaADVISORY
- github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943ghsax_refsource_MISCWEB
- github.com/pnpm/pnpm/releases/tag/v10.28.2ghsax_refsource_MISCWEB
- github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.