v10.28.1
📦 pnpmView on GitHub →
✨ 2 features🐛 7 fixes🔧 5 symbols
Summary
This patch release focuses heavily on security by fixing multiple path traversal vulnerabilities in ZIP and binary fetching, and improves dependency resolution by supporting plain HTTP/HTTPS git URLs. It also adjusts the exit code behavior for filtered script execution.
Migration Steps
- If you rely on `pnpm run -r` or `pnpm run --filter` failing silently when no packages match, use the new `--if-present` flag to maintain that behavior; otherwise, the command will now exit with a non-zero code.
✨ New Features
- Support plain http:// and https:// URLs ending with .git as git repository dependencies, resolving issues with self-hosted git servers that lack tarball downloads.
- pnpm run -r and pnpm run --filter now fail with a non-zero exit code when no packages have the specified script (unless --if-present is used).
🐛 Bug Fixes
- Fixed installation of config dependencies from private registries by adding support for object type in configDependencies when tarball URL differs from computed URL.
- Fixed path traversal vulnerability in binary fetcher ZIP extraction by validating ZIP entry paths and BinaryResolution.prefix.
- Fixed path traversal vulnerability in tarball extraction on Windows by correctly checking for both ./ and .\ path separators during normalization.
- Fixed a path traversal vulnerability in pnpm's bin linking where bin names starting with @ bypassed validation.
- Reverted the attempt to avoid making network calls with preferOffline.
- Fixed --save-peer to write valid semver ranges to peerDependencies for protocol-based installs (e.g., jsr:) by deriving from resolved versions.
- The root workspace project is no longer excluded when explicitly selected via a filter.