GHSA-72r4-9c5j-mj57 - pnpm better-node-range CPU exhaustion

pnpm before 10.34.4 and 11.0.0 through 11.7.x can spend excessive CPU parsing crafted Node engine range strings through better-node-range. An attacker who can feed untrusted package metadata or repository content into an pnpm-driven install path can force expensive parsing and stall CI or developer workstations.

Affected versions

  • Vulnerable: pnpm <=10.34.3
  • Vulnerable: pnpm >=11.0.0, <11.8.0
  • Fixed: 10.34.4+ or 11.8.0+

Indicator-of-exposure

  • CI, devcontainers, or local workflows run vulnerable pnpm versions.
  • The repository installs untrusted branches, templates, plugins, or external package metadata.
  • Install jobs run with limited timeouts or shared runners where CPU starvation matters.

Remediation strategy

  • Upgrade all controlled pnpm pins to 10.34.4+ or 11.8.0+.
  • Keep untrusted install jobs isolated from privileged publish or deploy stages.
  • Add or keep CI timeouts so parser-level hangs fail closed instead of blocking worker pools indefinitely.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate GHSA-72r4-9c5j-mj57 in pnpm. Produce either:

- a reviewer-ready PR that upgrades every controlled pnpm runtime to 10.34.4+
  or 11.8.0+, verifies install paths, and documents remaining containment, or
- TRIAGE.md if this repository does not control the affected pnpm runtime.

Rules:
- Scope only pnpm version pins, package-manager bootstrapping, CI install jobs,
  devcontainers, and related documentation.
- Do not benchmark with malicious packages from third-party sources.
- Do not merge automatically.

Steps:
1. Inventory `packageManager`, Corepack, CI setup, Dockerfiles, and docs for pnpm pins.
2. Upgrade every controlled vulnerable pin to 10.34.4+ or 11.8.0+.
3. Verify untrusted install jobs are separated from privileged publish/deploy credentials.
4. Run available version checks, install dry runs on trusted content, and repository tests.
5. Use PR title `fix(sec): remediate pnpm better-node-range CPU exhaustion`.

Verification

  • No controlled environment resolves a vulnerable pnpm version.
  • Install and test jobs complete without parser stalls on trusted fixtures.

References