GHSA-72r4-9c5j-mj57: pnpm: `patch-remove` could delete project-selected files outside the patches directory

June 27, 2026

The patch-remove deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm.

A crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it.

References

github.com/advisories/GHSA-72r4-9c5j-mj57
github.com/pnpm/pnpm/commit/612a2e6a7333f2b061f452a21b6e62c1c161747f
github.com/pnpm/pnpm/security/advisories/GHSA-72r4-9c5j-mj57

Code Behaviors & Features

Detect and mitigate GHSA-72r4-9c5j-mj57 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →