2 matches found
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
Summary A malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. Details The lockfile does not store the hash of the dependencies from https://codeload.github.com This means that if this server was compromised or a person's...
CVE-2026-48995
CVE-2026-48995 affects pnpm, a package manager. Prior to versions 10.33.4 and 11.0.7, a malicious codeload.github.com server could serve arbitrary tarballs and pnpm would install them regardless of the lockfile because the tarball hash is not stored in the lockfile. This could enable tampering of...