3 matches found
CVE-2026-55698
A flaw was found in pnpm, a package manager. This vulnerability allows a remote attacker to achieve arbitrary code execution by committing a specially crafted package-manager lockfile pnpm-lock.yaml to a repository. When pnpm is executed, it trusts an already resolved packageManagerDependencies...
CVE-2026-55698
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained...
CVE-2023-45805 Trojan Lockfilein pdm
pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project f...