Patch Changes
-
Security fix: prevent path traversal in
directories.binfield. -
When pnpm installs a
file:orgit:dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked intonode_modules.This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g.,
/etc/passwd,~/.ssh/id_rsa) and have their contents copied when the package is installed.Note: This only affects
file:andgit:dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected. -
Fixed optional dependencies to request full metadata from the registry to get the
libcfield, which is required for proper platform compatibility checks #9950.
Platinum Sponsors
|
|
Gold Sponsors
|
|
|
|
|
|
|