CVE-2026-55697 - pnpm global bin name traversal

pnpm can derive global executable paths from crafted names and write or delete files outside the intended global bin directory. Systems that allow untrusted packages or metadata into global-style install flows are exposed to direct filesystem corruption.

Affected versions

  • Vulnerable: pnpm <10.34.2
  • Vulnerable: pnpm >=11.0.0, <11.5.3
  • Fixed: 10.34.2+ or 11.5.3+

Remediation strategy

  • Upgrade all controlled pnpm pins to fixed versions.
  • Constrain generated executable paths to a resolved, repository-owned root.
  • Avoid running untrusted package installs with filesystem or credential privileges broader than required.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-55697 / GHSA-gj8w-vr56-x64m in pnpm. Produce either a
reviewer-ready PR that upgrades pnpm and proves generated bin paths stay under
the intended root, or TRIAGE.md if this repository does not control the
affected pnpm runtime.

Steps:
1. Inventory all pnpm pins and any global-style install helpers.
2. Upgrade every vulnerable pin to 10.34.2+ or 11.5.3+.
3. Add or verify final-path containment for generated executable links/files.
4. Run trusted install and test flows.
5. Use PR title `fix(sec): remediate pnpm global bin name traversal`.

Verification

  • No controlled pnpm version remains vulnerable.
  • Generated global bin paths cannot escape the intended root.

References