CVE-2025-69264: pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

January 7, 2026 (updated January 8, 2026)

A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature “Dependency lifecycle scripts execution disabled by default”. While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval.

References

github.com/advisories/GHSA-379q-355j-w6rj
github.com/pnpm/pnpm
github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5
github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
nvd.nist.gov/vuln/detail/CVE-2025-69264

Code Behaviors & Features

Detect and mitigate CVE-2025-69264 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →