4 matches found
EUVD-2026-39484
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes...
CVE-2026-50573
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm install in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the...
CVE-2026-55698
pnpm advisory (CVE-2026-55698) affects pnpm by allowing a crafted env lockfile in pnpm-lock.yaml to bypass fresh package-manager resolution and cause installation of bytes selected by the lockfile state. The issue occurs prior to 10.34.2 and 11.5.3, which have fixed the vulnerability. The vulnera...
PT-2026-52523
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.2 pnpm versions 11.0.0 through 11.5.2 Description pnpm can persist package-manager bootstrap metadata in the first YAML document of the pnpm-lock.yaml file. The issue occurs when pnpm incorrectly trusts an already...