5 matches found
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
Summary pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped authToken. The repository does not provide a token-bearing auth line. It only...
EUVD-2026-39495
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry...
CVE-2026-50017
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped authToken. The repository does...
CVE-2026-50017 pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped authToken. The repository does...
CVE-2026-50017
pnpm is affected prior to versions 10.34.0 and 11.4.0. In these versions, during normal metadata/install workflows, pnpm can bind user-level unscoped npm authentication credentials to a repository‑selected registry (as configured by a repository-local .npmrc) and transmit them in an Authorization...