CVE-2026-55487 - pnpm allowBuilds identity spoof

pnpm’s allowBuilds trust decision can be bypassed when a package is resolved through an alternate identity. That can let packages reach build-script execution paths that operators intended to block.

Affected versions

  • Vulnerable: pnpm <10.34.2
  • Vulnerable: pnpm >=11.0.0, <11.5.3
  • Fixed: 10.34.2+ or 11.5.3+

Remediation strategy

  • Upgrade all controlled pnpm pins.
  • Canonicalize package identities before applying allowBuilds or equivalent repository policy.
  • Keep build-script exceptions narrow and auditable.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-55487 in pnpm. Produce either a reviewer-ready PR that
upgrades pnpm, tightens repository-controlled build-allow policy, and documents
remaining containment, or TRIAGE.md if the affected pnpm runtime is not
controlled here.

Steps:
1. Inventory pnpm pins plus any repository policy around `allowBuilds`.
2. Upgrade every vulnerable pin to 10.34.2+ or 11.5.3+.
3. Ensure policy checks use canonical dependency identities.
4. Run trusted install, test, and scan flows.
5. Use PR title `fix(sec): remediate pnpm allowBuilds identity spoof`.

Verification

  • No controlled pnpm version remains vulnerable.
  • Allowed build-script identities are canonicalized and auditable.

References