CVE-2026-50015 - pnpm malicious patch path traversal

pnpm can let malicious patch file paths escape the intended workspace and write or delete arbitrary files. Public mirrors disagree on the exact lower fixed boundary in the 10.x line, but the safe remediation floor converges on 10.34.0+ and 11.4.0+.

Affected versions

  • Vulnerable: pnpm <10.34.0
  • Vulnerable: pnpm >=11.0.0, <11.4.0
  • Fixed: 10.34.0+ or 11.4.0+

Remediation strategy

  • Upgrade pnpm to fixed versions everywhere it is pinned.
  • Prove patch paths remain under the intended workspace root before apply or extraction operations.
  • Review repository-owned patch files and remove untrusted ones from privileged pipelines.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-50015 / GHSA-rxhj-4m44-96r4 in pnpm. Produce either a
reviewer-ready PR that upgrades pnpm, hardens patch-path containment, and
documents cleanup, or TRIAGE.md if this repository does not control the
affected pnpm runtime.

Steps:
1. Inventory pnpm pins and repository-owned patch workflows.
2. Upgrade every vulnerable pin to 10.34.0+ or 11.4.0+.
3. Verify patch paths are normalized and contained under the intended root.
4. Run trusted install and repository tests.
5. Use PR title `fix(sec): remediate pnpm malicious patch path traversal`.

Verification

  • No controlled pnpm version remains vulnerable.
  • Patch application cannot escape the intended workspace root.

References