fix: bump preferred-pm to v5 to resolve js-yaml prototype pollution (#756)

ParakhJaggi · web-flow · commit 34577da2b6d0 · 2026-03-23T19:27:54.000+01:00
diff --git a/packages/@sanity/cli/package.json b/packages/@sanity/cli/package.json
@@ -118,7 +118,7 @@
     "peek-stream": "^1.1.3",
     "picomatch": "^4.0.3",
     "pluralize-esm": "^9.0.5",
-    "preferred-pm": "^4.1.1",
+    "preferred-pm": "^5.0.0",
     "pretty-ms": "^9.3.0",
     "promise-props-recursive": "^2.0.2",
     "react": "^19.2.4",
diff --git a/packages/@sanity/cli/src/util/packageManager/packageManagerChoice.ts b/packages/@sanity/cli/src/util/packageManager/packageManagerChoice.ts
@@ -3,8 +3,7 @@ import path from 'node:path'
 import {isInteractive} from '@sanity/cli-core'
 import {getRunningPackageManager} from '@sanity/cli-core/package-manager'
 import {select} from '@sanity/cli-core/ux'
-// eslint-disable-next-line unicorn/no-named-default
-import {default as preferredPM} from 'preferred-pm'
+import {preferredPM} from 'preferred-pm'
 import which from 'which'
 
 export type PackageManager = 'bun' | 'manual' | 'npm' | 'pnpm' | 'yarn'
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
