Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update pnpm to v9 [security] #92

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 11, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pnpm (source) 8.15.1 -> 9.15.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-53866

Summary

pnpm seems to mishandle overrides and global cache:

  1. Overrides from one workspace leak into npm metadata saved in global cache
  2. npm metadata from global cache affects other workspaces
  3. installs by default don't revalidate the data (including on first lockfile generation)

This can make workspace A (even running with ignore-scripts=true) posion global cache and execute scripts in workspace B

Users generally expect ignore-scripts to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).

Here, that expectation is broken

Details

See PoC.

In it, overrides from a single run of A get leaked into e.g. ~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json and persistently affect all other projects using the cache

PoC

Postinstall code used in PoC is benign and can be inspected in https://www.npmjs.com/package/ponyhooves?activeTab=code, it's just a console.log

  1. Remove store and cache
    On mac: rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store
    This step is not required in general, but we'll be using a popular package for PoC that's likely cached
  2. Create A/package.json:
    {
      "name": "A",
      "pnpm": { "overrides": { "rimraf>glob": "npm:ponyhooves@1" } },
      "dependencies": { "rimraf": "6.0.1" }
    }
    Install it with pnpm i --ignore-scripts (the flag is not required, but the point of the demo is to show that it doesn't help)
  3. Create B/package.json:
    {
      "name": "B",
      "dependencies": { "rimraf": "6.0.1" }
    }
    Install it with pnpm i

Result:

Packages: +3
+++
Progress: resolved 3, reused 3, downloaded 0, added 3, done
node_modules/.pnpm/[email protected]/node_modules/ponyhooves: Running postinstall script, done in 51ms

dependencies:
+ rimraf 6.0.1

Done in 1.4s

Also, that code got leaked into another project and it's lockfile now!

Impact

Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs

As a work-around, use separate cache and store dirs in each workspace


Release Notes

pnpm/pnpm (pnpm)

v9.15.0: pnpm 9.15

Compare Source

Minor Changes

  • Metadata directory version bumped to force fresh cache after we shipped a fix to the metadata write function. This change is backward compatible as install doesn't require a metadata cache.

Patch Changes

  • pnpm update --global should not crash if there are no any global packages installed #​7898.
  • Fix an exception when running pnpm update --interactive if catalogs are used.

Platinum Sponsors

Bit Bit Figma

Gold Sponsors

Discord Prisma
u|screen JetBrains
Nx CodeRabbit
Route4Me

v9.14.4: pnpm 9.14.4

Compare Source

Patch Changes

  • Don't ever save mutated metadata to the metadata cache.

Platinum Sponsors

Bit Bit Figma

Gold Sponsors

Discord Prisma
u|screen JetBrains
Nx CodeRabbit
Route4Me

Silver Sponsors

Leniolabs_ Vercel
Depot moonrepo
devowl.io Cerbos
vlt Vite

v9.14.3: pnpm 9.14.3

Compare Source

Patch Changes
  • Some commands should ignore the packageManager field check of package.json #​7959.
Platinum Sponsors
Bit Bit Figma
Gold Sponsors
Discord Prisma
u|screen JetBrains
Nx CodeRabbit
Route4Me
Silver Sponsors
Leniolabs_ Vercel
Depot moonrepo
devowl.io Cerbos
vlt Vite

v9.14.2

Compare Source

Patch Changes
  • pnpm publish --json should work #​8788.
Platinum Sponsors
Bit Bit Figma
Gold Sponsors
Discord Prisma
u|screen JetBrains
Nx CodeRabbit
Route4Me

v9.14.1

Compare Source

Minor Changes

  • Added support for pnpm pack --json to print packed tarball and contents in JSON format #​8765.

Patch Changes

  • pnpm exec should print a meaningful error message when no command is provided #​8752.
  • pnpm setup should remove the CLI from the target location before moving the new binary #​8173.
  • Fix ERR_PNPM_TARBALL_EXTRACT error while installing a dependency from GitHub having a slash in branch name #​7697.
  • Don't crash if the use-node-version setting is used and the system has no Node.js installed #​8769.
  • Convert settings in local .npmrc files to their correct types. For instance, child-concurrency should be a number, not a string #​5075.
  • pnpm should fail if a project requires a different package manager even if manage-package-manager-versions is set to true.
  • pnpm init should respect the --dir option #​8768.

Platinum Sponsors

Bit Bit Figma

Gold Sponsors

Discord Prisma
u|screen JetBrains
Nx CodeRabbit
Route4Me

v9.14.0

Compare Source

v9.13.2: pnpm 9.13.2

Compare Source

Patch Changes

  • Detection of circular peer dependencies should not crash with aliased dependencies #​8759. Fixes a regression introduced in the previous version.
  • Fix race condition of symlink creations caused by multiple parallel dlx processes.

Platinum Sponsors

Bit Bit Figma

Gold Sponsors

Discord Prisma
u|screen JetBrains
Nx CodeRabbit
Route4Me

Silver Sponsors

Leniolabs_ Vercel
Depot moonrepo
devowl.io Cerbos
vlt Vite

v9.13.1: pnpm 9.13.1

Compare Source

Patch Changes
  • Fixed some edge cases where resolving circular peer dependencies caused a dead lock #​8720.
Platinum Sponsors
Bit Bit Figma
Gold Sponsors
Discord Prisma
u|screen JetBrains
Nx CodeRabbit
Route4Me
Silver Sponsors
Leniolabs_ Vercel
Depot moonrepo
devowl.io Cerbos
vlt Vite

v9.13.0: pnpm 9.13

Compare Source

Minor Changes

  • The self-update now accepts a version specifier to install a specific version of pnpm. E.g.:

    pnpm self-update 9.5.0
    

    or

    pnpm self-update next-10
    

Patch Changes

  • Fix Cannot read properties of undefined (reading 'name') that is printed while trying to render the missing peer dependencies warning message #​8538.

Platinum Sponsors

Bit Figma

Gold Sponsors

Discord Prisma
u|screen JetBrains
Nx CodeRabbit
Route4Me

Silver Sponsors

Leniolabs_ Vercel
Depot

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from Hebilicious as a code owner December 11, 2024 01:23
Copy link

changeset-bot bot commented Dec 11, 2024

⚠️ No Changeset found

Latest commit: 2219dd2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-pnpm-vulnerability branch from 462fc8e to e652d7f Compare February 11, 2025 13:13
@renovate renovate bot force-pushed the renovate/npm-pnpm-vulnerability branch 15 times, most recently from 68e1dd8 to 96e7971 Compare March 12, 2025 06:25
@renovate renovate bot force-pushed the renovate/npm-pnpm-vulnerability branch 5 times, most recently from 8dcc420 to 195d3f5 Compare March 15, 2025 21:16
@renovate renovate bot force-pushed the renovate/npm-pnpm-vulnerability branch from 195d3f5 to 2219dd2 Compare March 16, 2025 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants