CVE-2026-55698 - pnpm env lockfile short-circuit

pnpm can short-circuit expected safety checks while processing project env lockfile data, allowing traversal-shaped input to reach filesystem-sensitive operations. In untrusted repo or template installs, this becomes a high-consequence supply-chain boundary failure.

Affected versions

  • Vulnerable: pnpm <10.34.2
  • Vulnerable: pnpm >=11.0.0, <11.5.3
  • Fixed: 10.34.2+ or 11.5.3+

Indicator-of-exposure

  • Vulnerable pnpm runs in CI, devcontainers, or local bootstrap.
  • Untrusted branches or templates can modify env lockfile content.

Remediation strategy

  • Upgrade pnpm everywhere it is pinned.
  • Reject env lockfile values containing traversal segments, absolute paths, or invalid package identities.
  • Separate untrusted install jobs from privileged credentials and caches.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-55698 in pnpm. Produce either a reviewer-ready PR that
upgrades pnpm, hardens env lockfile validation, and documents containment, or
TRIAGE.md if the affected pnpm runtime is outside this repository's control.

Steps:
1. Inventory all pnpm pins in manifests, CI, images, and docs.
2. Upgrade every controlled vulnerable pin to 10.34.2+ or 11.5.3+.
3. Add or verify env lockfile validation that rejects traversal-shaped values.
4. Run trusted install, test, and scan flows.
5. Use PR title `fix(sec): remediate pnpm env lockfile short-circuit`.

Verification

  • No controlled pnpm runtime remains vulnerable.
  • Env lockfile validation fails closed on traversal-shaped inputs.

References