GHSA-qrv3-253h-g69c: pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under node_modules/.pnpm-config.
A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a traversal-shaped config dependency name such as ../../PWNED_CFGDEP. During pnpm install, pnpm installs the config dependency and creates a symlink at a path derived from that name.
In local testing against pnpm v11.5.1, this caused pnpm to create a symlink outside the intended config dependency directory:
expected root: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/node_modules/.pnpm-config
actual path: /tmp/pnpm-cfgdep-poc-sznwgunx/victim/PWNED_CFGDEP
This works with --ignore-scripts, so it does not rely on lifecycle script execution.
References
Code Behaviors & Features
Detect and mitigate GHSA-qrv3-253h-g69c with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →