v10.34.4
📦 pnpmView on GitHub →
🐛 4 fixes🔧 4 symbols
Summary
This patch release focuses heavily on security, validating configuration dependency names and versions, rejecting malicious lockfile aliases, and hardening warnings related to environment variables in configuration.
🐛 Bug Fixes
- Security fix: Configuration dependency names must now be valid npm package names and versions must be exact semver versions to prevent filesystem path traversal during `pnpm install`.
- Security fix: Path-traversal and reserved dependency aliases (like ".bin", "node_modules") originating from a lockfile are now rejected when using `nodeLinker: hoisted`.
- Security fix: Prevented `pnpm patch-remove` from removing files outside the configured patches directory.
- Hardened the warning printed when project .npmrc uses environment variables in registry/auth settings; the suggested `pnpm config set` command is now only included for keys made up of shell-inert characters to prevent command injection.