Vulnerability	Vulnerable Version
H Resources Downloaded over Insecure Protocol @pnpm/package-store is an A storage for packages Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol due to the absence of integrity hashes in the lockfile for HTTP or git-hosted tarball dependencies. An attacker can execute arbitrary code by serving different content from a remote server each time a dependency is installed, even when a lockfile is committed. This enables targeted or time-based attacks and can evade security audits by delivering benign code during review and malicious code at other times. Note: This is only exploitable if a package with an HTTP or git tarball dependency is installed as part of the dependency tree. How to fix Resources Downloaded over Insecure Protocol? Upgrade `@pnpm/package-store` to version 1007.1.0 or higher.	<1007.1.0

Resources Downloaded over Insecure Protocol

@pnpm/package-store is an A storage for packages

Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol due to the absence of integrity hashes in the lockfile for HTTP or git-hosted tarball dependencies. An attacker can execute arbitrary code by serving different content from a remote server each time a dependency is installed, even when a lockfile is committed. This enables targeted or time-based attacks and can evade security audits by delivering benign code during review and malicious code at other times.

Note: This is only exploitable if a package with an HTTP or git tarball dependency is installed as part of the dependency tree.

How to fix Resources Downloaded over Insecure Protocol?

Upgrade @pnpm/package-store to version 1007.1.0 or higher.

<1007.1.0

Go back to all versions of this package