CVE-2026-55487 - pnpm allowBuilds identity spoof
pnpm’s allowBuilds trust decision can be bypassed when a package is resolved
through an alternate identity. That can let packages reach build-script
execution paths that operators intended to block.
Affected versions
- Vulnerable:
pnpm <10.34.2 - Vulnerable:
pnpm >=11.0.0, <11.5.3 - Fixed:
10.34.2+or11.5.3+
Remediation strategy
- Upgrade all controlled pnpm pins.
- Canonicalize package identities before applying
allowBuildsor equivalent repository policy. - Keep build-script exceptions narrow and auditable.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-55487 in pnpm. Produce either a reviewer-ready PR that
upgrades pnpm, tightens repository-controlled build-allow policy, and documents
remaining containment, or TRIAGE.md if the affected pnpm runtime is not
controlled here.
Steps:
1. Inventory pnpm pins plus any repository policy around `allowBuilds`.
2. Upgrade every vulnerable pin to 10.34.2+ or 11.5.3+.
3. Ensure policy checks use canonical dependency identities.
4. Run trusted install, test, and scan flows.
5. Use PR title `fix(sec): remediate pnpm allowBuilds identity spoof`.
Verification
- No controlled pnpm version remains vulnerable.
- Allowed build-script identities are canonicalized and auditable.
References
- GitHub Advisory Database entry: https://github.com/advisories?query=CVE-2026-55487
- GitLab advisory mirror: https://advisories.gitlab.com/pkg/npm/pnpm/CVE-2026-55487/