GHSA-fr4h-3cph-29xv - pnpm protocol specifier bypass
pnpm before 10.34.4 and 11.0.0 through 11.7.x can let crafted
protocol-style dependency specifiers short-circuit expected validation. In
untrusted install scenarios that weakens supply-chain guarantees and can allow
unexpected dependency materialization paths.
Affected versions
- Vulnerable:
pnpm <=10.34.3 - Vulnerable:
pnpm >=11.0.0, <11.8.0 - Fixed:
10.34.4+or11.8.0+
Indicator-of-exposure
- Vulnerable pnpm is pinned in CI, developer bootstrap, or images.
- The repository consumes untrusted lockfiles or dependency manifests.
- Install paths rely on pnpm validation as a trust boundary.
Remediation strategy
- Upgrade pnpm everywhere it is pinned or bootstrapped.
- Treat malformed protocol specifiers as a hard failure in repository-owned validation tooling.
- Keep untrusted dependency resolution away from privileged pipelines.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate GHSA-fr4h-3cph-29xv in pnpm. Produce either:
- a reviewer-ready PR that upgrades controlled pnpm runtimes to 10.34.4+ or
11.8.0+, verifies dependency validation paths, and documents containment, or
- TRIAGE.md if this repository does not control the affected pnpm runtime.
Rules:
- Scope only pnpm pins, dependency validation helpers, CI install jobs, and
related images or docs.
- Do not validate by pulling attacker-controlled packages.
Steps:
1. Inventory all pnpm pins and bootstrap paths.
2. Upgrade every controlled vulnerable pin.
3. Add or confirm fail-closed handling for malformed protocol-style dependency specifiers.
4. Run trusted install, test, and scan workflows.
5. Use PR title `fix(sec): remediate pnpm protocol specifier bypass`.
Verification
- No controlled pnpm runtime remains in the vulnerable range.
- Malformed dependency identities fail closed in repository-controlled checks.
References
- GitHub Advisory: https://github.com/advisories/GHSA-fr4h-3cph-29xv
- Vendor advisory: https://github.com/pnpm/pnpm/security/advisories/GHSA-fr4h-3cph-29xv