CVE-2026-50021

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...

CVE-2026-50021

pnpm prior to versions 10.34.0 and 11.4.0 is vulnerable to an integrity check bypass when the lockfile lacks an integrity field. If an attacker can modify pnpm-lock.yaml to remove the integrity: field and serve altered package content from the registry, running pnpm install --frozen-lockfile may ...