3 matches found
EUVD-2026-39497
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile...
CVE-2026-48995
pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. The lockfile does not store the hash of the dependencies from https://codeload.github.com. This means that if thi...
Resources Downloaded over Insecure Protocol
Overview @pnpm/package-store is an A storage for packages Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol due to the absence of integrity hashes in the lockfile for HTTP or git-hosted tarball dependencies. An attacker can execute arbitrary code by...