pnpm 0.40.0

Direct Vulnerabilities

Known vulnerabilities in the pnpm package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Insufficiently Protected Credentials pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the config and auth-header flow, which binds unscoped user-level npm `_authToken` credentials to whatever default registry a repository-local `.npmrc` selects. An attacker can capture a developer's or CI job's user-level npm token by publishing a repository whose `.npmrc` sets `registry=` to an attacker-controlled endpoint, to which pnpm then sends the unscoped default credentials during `pnpm install`, `pnpm view`, or similar metadata commands. The target must have unscoped user-level credentials in their global npm configuration, the disclosure is limited to those default tokens while URL-scoped tokens for other registries are not exposed, and the leak occurs before any lifecycle scripts run so it does not require package code execution. How to fix Insufficiently Protected Credentials? Upgrade `pnpm` to version 10.34.0, 11.4.0 or higher.	<10.34.0>=11.0.0 <11.4.0
H Insufficient Verification of Data Authenticity pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the default behavior of `pnpm install`, which accepts tarball content that does not match the integrity value recorded in the lockfile. An attacker who controls the registry can replace the content of a previously locked package version and have it installed in place of the locked version, because on a mismatch the install reports the discrepancy, then performs automatic resolution repair, accepts the registry's new integrity, and updates the lockfile. Exploitation applies only to non-frozen installs, meaning a plain `pnpm install` without `--frozen-lockfile`, and requires the attacker to control or compromise the registry so it serves different content for an already-published version. How to fix Insufficient Verification of Data Authenticity? Upgrade `pnpm` to version 10.34.0, 11.4.0 or higher.	<10.34.0>=11.0.0 <11.4.0
H Relative Path Traversal pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Relative Path Traversal in dependency alias handling, which passes alias names from package metadata into dependency linking as path components and normalizes them with `path.join()` without validation. An attacker can create symlinks at locations outside `node_modules`, such as `.git/hooks`, `.husky`, or `.github/actions`, and have their code execute on a later `git commit`, `pnpm test`, or `pnpm publish`, by publishing a dependency whose alias contains traversal segments like `@x/../../../../../.git/hooks`. Exploitation requires the victim to run `pnpm install` on a project that pulls in the malicious dependency, directly or transitively, and it proceeds even with `pnpm install --ignore-scripts`, so that flag is not a mitigation. How to fix Relative Path Traversal? Upgrade `pnpm` to version 10.34.0, 11.4.0 or higher.	<10.34.0>=11.0.0 <11.4.0
M Missing Support for Integrity Check pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Missing Support for Integrity Check involving GitHub git dependencies, because the tarball hash for packages resolved from `codeload.github.com` is not recorded in the lockfile. An attacker who controls or intercepts that server can cause arbitrary tarball content to be installed in place of a GitHub git dependency, since pnpm installs whatever is delivered without validating it against a stored hash. Exploitation affects only projects that resolve dependencies as GitHub git dependencies, and it requires the attacker to compromise `codeload.github.com` or intercept its TLS-protected connection, the recorded git commit reference alone being insufficient to detect the substitution. How to fix Missing Support for Integrity Check? Upgrade `pnpm` to version 10.33.4, 11.0.7 or higher.	<10.33.4>=11.0.0 <11.0.7
H Arbitrary Argument Injection pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Arbitrary Argument Injection in the git fetcher at `fetching/git-fetcher/src/index.ts`, which passes the lockfile's `resolution.commit` value into `git fetch` and `git checkout` without a `--` separator or format validation. An attacker can execute arbitrary commands as the user running the install by supplying a `pnpm-lock.yaml` whose `resolution.commit` is a git option such as `--upload-pack=<command>` instead of a 40-character hash. Exploitation requires the victim to install a project carrying the malicious lockfile and the git dependency to resolve over the SSH or local transport, as the HTTPS transport is not affected by `--upload-pack` injection. How to fix Arbitrary Argument Injection? Upgrade `pnpm` to version 10.34.0, 11.4.0 or higher.	<10.34.0>=11.0.0 <11.4.0
H Improper Validation of Integrity Check Value pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value in the tarball extraction process when the `integrity` field is missing from the lockfile resolution. An attacker can introduce unauthorized package content by modifying the lockfile to remove the `integrity` field and serving altered packages from a registry URL. How to fix Improper Validation of Integrity Check Value? Upgrade `pnpm` to version 10.34.1, 11.4.0 or higher.	<10.34.1>=11.0.0 <11.4.0
H External Control of File Name or Path pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path through the handling of reserved or malformed `bin` names during global package operations. An attacker can cause deletion of critical directories outside the intended global bin directory by publishing a malicious package with specially crafted manifest `bin` keys and then triggering global remove, update, or add-replacement flows. How to fix External Control of File Name or Path? Upgrade `pnpm` to version 10.34.2, 11.5.3 or higher.	<10.34.2>=11.0.0-alpha.0 <11.5.3
H Unsafe Dependency Resolution pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the approval process for dependency sources. An attacker can execute unauthorized code during the build lifecycle by crafting a dependency source locator that collides with an approved source after normalization, thereby bypassing intended build policy restrictions. How to fix Unsafe Dependency Resolution? Upgrade `pnpm` to version 10.34.2, 11.5.3 or higher.	<10.34.2>=11.0.0-alpha.0 <11.5.3
H External Control of File Name or Path pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path through the `patch-remove` process. An attacker can cause deletion of arbitrary files outside the intended directory by crafting a patch entry that resolves outside the configured patches directory. How to fix External Control of File Name or Path? Upgrade `pnpm` to version 10.34.4, 11.7.0 or higher.	<10.34.4>=11.0.0-alpha.0 <11.7.0
H Directory Traversal pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the patch application process. An attacker can overwrite or delete arbitrary files on the filesystem by submitting a malicious `.patch` file containing crafted file paths with directory traversal sequences, which are then processed during installation. How to fix Directory Traversal? Upgrade `pnpm` to version 10.34.0, 11.4.0 or higher.	<10.34.0>=11.0.0 <11.4.0
H External Control of File Name or Path pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended `node_modules` directory by crafting a malicious lockfile alias that escapes the installation root. How to fix External Control of File Name or Path? Upgrade `pnpm` to version 10.34.4, 11.7.0 or higher.	<10.34.4>=11.0.0 <11.7.0
H Directory Traversal pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the `configDependencies` process. An attacker can create symlinks outside the intended directory by supplying crafted package names with traversal components in the lockfile. How to fix Directory Traversal? Upgrade `pnpm` to version 10.34.4, 11.8.0 or higher.	<10.34.4>=11.0.0 <11.8.0
M Use of Weak Hash pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Use of Weak Hash for path shortening. An attacker can cause collisions in file paths, leading to the overwriting of indirect package dependencies by manipulating package names and versions to generate the same hash value. Note: This is only exploitable if the package names and versions are specifically crafted to exceed 120 characters and share the same hash output. How to fix Use of Weak Hash? Upgrade `pnpm` to version 10.0.0-alpha.0 or higher.	<10.0.0-alpha.0
M Untrusted Search Path pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Untrusted Search Path due to mishandling of overrides and global cache settings even when `ignore-scripts=true`. How to fix Untrusted Search Path? Upgrade `pnpm` to version 9.14.4 or higher.	<9.14.4
H Access Control Bypass pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Access Control Bypass. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. How to fix Access Control Bypass? Upgrade `pnpm` to version 7.33.4, 8.6.8 or higher.	<7.33.4>=8.0.0 <8.6.8
M Improper Input Validation pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Improper Input Validation via an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. How to fix Improper Input Validation? Upgrade `pnpm` to version 6.15.1 or higher.	<6.15.1

Vulnerability

Vulnerable Version

Insufficiently Protected Credentials

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the config and auth-header flow, which binds unscoped user-level npm _authToken credentials to whatever default registry a repository-local .npmrc selects. An attacker can capture a developer's or CI job's user-level npm token by publishing a repository whose .npmrc sets registry= to an attacker-controlled endpoint, to which pnpm then sends the unscoped default credentials during pnpm install, pnpm view, or similar metadata commands. The target must have unscoped user-level credentials in their global npm configuration, the disclosure is limited to those default tokens while URL-scoped tokens for other registries are not exposed, and the leak occurs before any lifecycle scripts run so it does not require package code execution.

How to fix Insufficiently Protected Credentials?

Upgrade pnpm to version 10.34.0, 11.4.0 or higher.

<10.34.0>=11.0.0 <11.4.0

Insufficient Verification of Data Authenticity

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the default behavior of pnpm install, which accepts tarball content that does not match the integrity value recorded in the lockfile. An attacker who controls the registry can replace the content of a previously locked package version and have it installed in place of the locked version, because on a mismatch the install reports the discrepancy, then performs automatic resolution repair, accepts the registry's new integrity, and updates the lockfile. Exploitation applies only to non-frozen installs, meaning a plain pnpm install without --frozen-lockfile, and requires the attacker to control or compromise the registry so it serves different content for an already-published version.

How to fix Insufficient Verification of Data Authenticity?

Upgrade pnpm to version 10.34.0, 11.4.0 or higher.

<10.34.0>=11.0.0 <11.4.0

Relative Path Traversal

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Relative Path Traversal in dependency alias handling, which passes alias names from package metadata into dependency linking as path components and normalizes them with path.join() without validation. An attacker can create symlinks at locations outside node_modules, such as .git/hooks, .husky, or .github/actions, and have their code execute on a later git commit, pnpm test, or pnpm publish, by publishing a dependency whose alias contains traversal segments like @x/../../../../../.git/hooks. Exploitation requires the victim to run pnpm install on a project that pulls in the malicious dependency, directly or transitively, and it proceeds even with pnpm install --ignore-scripts, so that flag is not a mitigation.

How to fix Relative Path Traversal?

Upgrade pnpm to version 10.34.0, 11.4.0 or higher.

<10.34.0>=11.0.0 <11.4.0

Missing Support for Integrity Check

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Missing Support for Integrity Check involving GitHub git dependencies, because the tarball hash for packages resolved from codeload.github.com is not recorded in the lockfile. An attacker who controls or intercepts that server can cause arbitrary tarball content to be installed in place of a GitHub git dependency, since pnpm installs whatever is delivered without validating it against a stored hash. Exploitation affects only projects that resolve dependencies as GitHub git dependencies, and it requires the attacker to compromise codeload.github.com or intercept its TLS-protected connection, the recorded git commit reference alone being insufficient to detect the substitution.

How to fix Missing Support for Integrity Check?

Upgrade pnpm to version 10.33.4, 11.0.7 or higher.

<10.33.4>=11.0.0 <11.0.7

Arbitrary Argument Injection

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Arbitrary Argument Injection in the git fetcher at fetching/git-fetcher/src/index.ts, which passes the lockfile's resolution.commit value into git fetch and git checkout without a -- separator or format validation. An attacker can execute arbitrary commands as the user running the install by supplying a pnpm-lock.yaml whose resolution.commit is a git option such as --upload-pack=<command> instead of a 40-character hash. Exploitation requires the victim to install a project carrying the malicious lockfile and the git dependency to resolve over the SSH or local transport, as the HTTPS transport is not affected by --upload-pack injection.

How to fix Arbitrary Argument Injection?

Upgrade pnpm to version 10.34.0, 11.4.0 or higher.

<10.34.0>=11.0.0 <11.4.0

Improper Validation of Integrity Check Value

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value in the tarball extraction process when the integrity field is missing from the lockfile resolution. An attacker can introduce unauthorized package content by modifying the lockfile to remove the integrity field and serving altered packages from a registry URL.

How to fix Improper Validation of Integrity Check Value?

Upgrade pnpm to version 10.34.1, 11.4.0 or higher.

<10.34.1>=11.0.0 <11.4.0

External Control of File Name or Path

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to External Control of File Name or Path through the handling of reserved or malformed bin names during global package operations. An attacker can cause deletion of critical directories outside the intended global bin directory by publishing a malicious package with specially crafted manifest bin keys and then triggering global remove, update, or add-replacement flows.

How to fix External Control of File Name or Path?

Upgrade pnpm to version 10.34.2, 11.5.3 or higher.

<10.34.2>=11.0.0-alpha.0 <11.5.3

Unsafe Dependency Resolution

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the approval process for dependency sources. An attacker can execute unauthorized code during the build lifecycle by crafting a dependency source locator that collides with an approved source after normalization, thereby bypassing intended build policy restrictions.

How to fix Unsafe Dependency Resolution?

Upgrade pnpm to version 10.34.2, 11.5.3 or higher.

<10.34.2>=11.0.0-alpha.0 <11.5.3

External Control of File Name or Path

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to External Control of File Name or Path through the patch-remove process. An attacker can cause deletion of arbitrary files outside the intended directory by crafting a patch entry that resolves outside the configured patches directory.

How to fix External Control of File Name or Path?

Upgrade pnpm to version 10.34.4, 11.7.0 or higher.

<10.34.4>=11.0.0-alpha.0 <11.7.0

Directory Traversal

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Directory Traversal via the patch application process. An attacker can overwrite or delete arbitrary files on the filesystem by submitting a malicious .patch file containing crafted file paths with directory traversal sequences, which are then processed during installation.

How to fix Directory Traversal?

Upgrade pnpm to version 10.34.0, 11.4.0 or higher.

<10.34.0>=11.0.0 <11.4.0

External Control of File Name or Path

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended node_modules directory by crafting a malicious lockfile alias that escapes the installation root.

How to fix External Control of File Name or Path?

Upgrade pnpm to version 10.34.4, 11.7.0 or higher.

<10.34.4>=11.0.0 <11.7.0

Directory Traversal

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names with traversal components in the lockfile.

How to fix Directory Traversal?

Upgrade pnpm to version 10.34.4, 11.8.0 or higher.

<10.34.4>=11.0.0 <11.8.0

Use of Weak Hash

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Use of Weak Hash for path shortening. An attacker can cause collisions in file paths, leading to the overwriting of indirect package dependencies by manipulating package names and versions to generate the same hash value.

Note:

This is only exploitable if the package names and versions are specifically crafted to exceed 120 characters and share the same hash output.

How to fix Use of Weak Hash?

Upgrade pnpm to version 10.0.0-alpha.0 or higher.

<10.0.0-alpha.0

Untrusted Search Path

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Untrusted Search Path due to mishandling of overrides and global cache settings even when ignore-scripts=true.

How to fix Untrusted Search Path?

Upgrade pnpm to version 9.14.4 or higher.

<9.14.4

Access Control Bypass

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Access Control Bypass. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm.

How to fix Access Control Bypass?

Upgrade pnpm to version 7.33.4, 8.6.8 or higher.

<7.33.4>=8.0.0 <8.6.8

Improper Input Validation

pnpm is a Fast, disk space efficient package manager

Affected versions of this package are vulnerable to Improper Input Validation via an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content.

How to fix Improper Input Validation?

Upgrade pnpm to version 6.15.1 or higher.

<6.15.1

pnpm@0.40.0

Fast, disk space efficient package manager

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically