Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: pnpm_11

Found 8 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-59196
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 4 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: hoisted install imports lockfile alias outside node_modules

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted node_modules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fixed in 10.34.4 and 11.7.0.

Affected products

pnpm
  • ==>= 11.0.0, < 11.7.0
  • ==< 10.34.4

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

Ignored packages (4)

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Published
Permalink CVE-2026-59194
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 4 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpmConfigHook
    • pnpmBuildHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: patch-remove could delete project-selected files outside the patches directory

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 and 11.7.0.

Affected products

pnpm
  • ==>= 11.0.0, < 11.7.0
  • ==< 10.34.4

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

Ignored packages (4)

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Published
Permalink CVE-2026-59195
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 4 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config

pnpm is a package manager. Prior to 10.34.4 and 11.8.0, pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under node_modules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a traversal-shaped config dependency name. During pnpm install, pnpm installs the config dependency and creates a symlink at a path derived from that name. This vulnerability is fixed in 10.34.4 and 11.8.0.

Affected products

pnpm
  • ==>= 11.0.0, < 11.8.0
  • ==< 10.34.4

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

Ignored packages (4)

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Published
Permalink CVE-2026-55487
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value. This vulnerability is fixed in 10.34.2 and 11.5.3.

Affected products

pnpm
  • ==>= 11.0.0, < 11.5.3
  • ==< 10.34.2

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

Ignored packages (4)

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Needs some backports and bumps for the 10.x branch
Published
Permalink CVE-2026-55700
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    8 packages
    • pnpm_8
    • pnpm_9
    • pnpm_10
    • pnpm_10_29_2
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: stage download writes outside destination via manifest version traversal

pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe filename, and verifies the final destination before writing. This vulnerability is fixed in 11.5.3.

Affected products

pnpm
  • ==>= 11.3.0, < 11.5.3

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

Ignored packages (8)

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Needs some backports
Published
Permalink CVE-2026-55698
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained matching pnpm and @pnpm/exe versions. A malicious repository could therefore commit package-manager lockfile package records and snapshots that bypassed fresh package-manager resolution, then cause pnpm to install and execute bytes selected by that committed lockfile state during automatic version switching. This vulnerability is fixed in 10.34.2 and 11.5.3.

Affected products

pnpm
  • ==>= 11.0.0, < 11.5.3
  • ==< 10.34.2

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

Ignored packages (4)

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Needs some backports and bumps for the 10.x branch
Published
Permalink CVE-2026-55180
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • pnpm-fixup-state-db
    • pnpm-shell-completion
    • pnpmConfigHook
    • pnpmBuildHook
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run. This vulnerability is fixed in 10.34.2 and 11.5.3.

Affected products

pnpm
  • ==>= 11.0.0, < 11.5.3
  • ==< 10.34.2

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

Ignored packages (4)

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Needs some backports and bumps for the 10.x branch
Published
Permalink CVE-2026-55697
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • pnpm_10_29_2
    • pnpmBuildHook
    • pnpmConfigHook
    • pnpm-fixup-state-db
    • pnpm-shell-completion
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
pnpm: Repository-controlled configDependencies can select a pacquet native install engine

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependency and pnpm treated that repository-controlled dependency as an install-engine opt-in. During install, pnpm resolved a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawned it as the developer or CI user. This vulnerability is fixed in 10.34.2 and 11.5.3.

Affected products

pnpm
  • ==>= 11.0.0, < 11.5.3
  • ==< 10.34.2

Matching in nixpkgs

pkgs.pnpm

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_8

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_9

Fast, disk space efficient package manager for JavaScript

pkgs.pnpm_11

Fast, disk space efficient package manager for JavaScript

Ignored packages (5)

pkgs.pnpmBuildHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.pnpmConfigHook

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-26.05 -
    • nixos-26.05-small
    • nixpkgs-26.05-darwin

Package maintainers

Needs some backports and bumps for the 10.x branch