Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1993

NIXPKGS-2026-1993
published 1 week, 4 days ago
pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
Permalink CVE-2026-50021
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    8 packages
    • pnpm
    • pnpm_8
    • pnpm_9
    • pnpm_11
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install --frozen-lockfile can install the altered package without an integrity error. npm's npm ci enforces integrity by default; pnpm's behavior of silently skipping verification is a pnpm-specific fail-open gap. This vulnerability is fixed in 10.34.0 and 11.4.0.

Affected products

pnpm
  • ==>= 11.0.0, < 11.4.0
  • ==< 10.34.0

Matching in nixpkgs

Ignored packages (8)

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Needs some backports