Change8

v10.28.2

📦 pnpmView on GitHub →
🐛 3 fixes🔧 4 symbols

Summary

This patch release focuses on security improvements by preventing path traversal in `directories.bin` and securing symlink handling for local dependencies. It also fixes an issue related to optional dependency metadata fetching for platform checks.

🐛 Bug Fixes

  • Security fix: prevent path traversal in `directories.bin` field.
  • When pnpm installs a `file:` or `git:` dependency, it now validates that symlinks point within the package directory, skipping symlinks to paths outside the package root to prevent local data leakage.
  • Fixed optional dependencies to request full metadata from the registry to obtain the `libc` field required for proper platform compatibility checks.

Affected Symbols