Unsafe Dependency Resolution Affecting @earendil-works/pi-coding-agent package, versions <0.79.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.12% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-EARENDILWORKSPICODINGAGENT-17817914
  • published5 Jul 2026
  • disclosed17 Jun 2026
  • creditUnknown

Introduced: 17 Jun 2026

NewCVE-2026-54325  (opens in a new tab)
CWE-829  (opens in a new tab)

How to fix?

Upgrade @earendil-works/pi-coding-agent to version 0.79.0 or higher.

Overview

@earendil-works/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management

Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the project resource loading process. An attacker can execute arbitrary code with the same privileges as the user by placing malicious project-local extensions in a repository and convincing a user to start the application from that repository. This is only exploitable if the user opens or works in an attacker-controlled repository and initiates the application there.

Workaround

This vulnerability can be mitigated by running the application only in trusted repositories or within an external sandbox or isolation boundary when working with untrusted code. Additionally, users can inspect and remove project-local configuration and resources before use, disable extensions and project resources with command-line flags, or enforce trusted or isolated execution as a primary mitigation.

CVSS Base Scores

version 4.0
version 3.1