GHSA-72r4-9c5j-mj57 - pnpm better-node-range CPU exhaustion
pnpm before 10.34.4 and 11.0.0 through 11.7.x can spend excessive CPU
parsing crafted Node engine range strings through better-node-range. An
attacker who can feed untrusted package metadata or repository content into an
pnpm-driven install path can force expensive parsing and stall CI or developer
workstations.
Affected versions
- Vulnerable:
pnpm <=10.34.3 - Vulnerable:
pnpm >=11.0.0, <11.8.0 - Fixed:
10.34.4+or11.8.0+
Indicator-of-exposure
- CI, devcontainers, or local workflows run vulnerable pnpm versions.
- The repository installs untrusted branches, templates, plugins, or external package metadata.
- Install jobs run with limited timeouts or shared runners where CPU starvation matters.
Remediation strategy
- Upgrade all controlled pnpm pins to
10.34.4+or11.8.0+. - Keep untrusted install jobs isolated from privileged publish or deploy stages.
- Add or keep CI timeouts so parser-level hangs fail closed instead of blocking worker pools indefinitely.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate GHSA-72r4-9c5j-mj57 in pnpm. Produce either:
- a reviewer-ready PR that upgrades every controlled pnpm runtime to 10.34.4+
or 11.8.0+, verifies install paths, and documents remaining containment, or
- TRIAGE.md if this repository does not control the affected pnpm runtime.
Rules:
- Scope only pnpm version pins, package-manager bootstrapping, CI install jobs,
devcontainers, and related documentation.
- Do not benchmark with malicious packages from third-party sources.
- Do not merge automatically.
Steps:
1. Inventory `packageManager`, Corepack, CI setup, Dockerfiles, and docs for pnpm pins.
2. Upgrade every controlled vulnerable pin to 10.34.4+ or 11.8.0+.
3. Verify untrusted install jobs are separated from privileged publish/deploy credentials.
4. Run available version checks, install dry runs on trusted content, and repository tests.
5. Use PR title `fix(sec): remediate pnpm better-node-range CPU exhaustion`.
Verification
- No controlled environment resolves a vulnerable pnpm version.
- Install and test jobs complete without parser stalls on trusted fixtures.
References
- GitHub Advisory: https://github.com/advisories/GHSA-72r4-9c5j-mj57
- Vendor advisory: https://github.com/pnpm/pnpm/security/advisories/GHSA-72r4-9c5j-mj57