v10.28.2
📦 pnpmView on GitHub →
🐛 3 fixes🔧 4 symbols
Summary
This patch release focuses on security improvements by preventing path traversal in `directories.bin` and securing symlink handling for local dependencies. It also fixes an issue related to optional dependency metadata fetching for platform checks.
🐛 Bug Fixes
- Security fix: prevent path traversal in `directories.bin` field.
- When pnpm installs a `file:` or `git:` dependency, it now validates that symlinks point within the package directory, skipping symlinks to paths outside the package root to prevent local data leakage.
- Fixed optional dependencies to request full metadata from the registry to obtain the `libc` field required for proper platform compatibility checks.