Skip to content

Update pnpm to 10.34.1#212

Open
gominimal-pkgmgr-mgr[bot] wants to merge 1 commit into
mainfrom
update-pnpm-10.34.1
Open

Update pnpm to 10.34.1#212
gominimal-pkgmgr-mgr[bot] wants to merge 1 commit into
mainfrom
update-pnpm-10.34.1

Conversation

@gominimal-pkgmgr-mgr
Copy link
Copy Markdown
Contributor

@gominimal-pkgmgr-mgr gominimal-pkgmgr-mgr Bot commented May 30, 2026

Update pnpm 10.33.410.34.1

Source: github:pnpm/pnpm:in-major
Release: https://github.com/pnpm/pnpm/releases/tag/v10.34.1
Changelog: pnpm/pnpm@v10.33.4...v10.34.1
Released: unknown (non-GitHub source or tag-only fallback)

Pkgscan: clean — diff against the prior version surfaced no newly-introduced suspicious patterns.

Vulnerability impact

Partition analysis at 10.34.1 (uses each advisory's fixed-version, vulnerable-range, affected-ranges, and fix-commit ancestry to decide):

  • 6 cleared — the new version is outside the advisory's affected range, OR the tag's lineage includes a known fix-commit. These will drop off the next scan.

Vulnerabilities fixed (6)

This update clears 6 vulnerabilities affecting 10.33.4:

CVE / GHSA Severity Fixed in
GHSA-cjhr-43r9-cfmw HIGH 10.34.0
GHSA-hwx4-2j3j-g496 HIGH 10.34.0
GHSA-rxhj-4m44-96r4 HIGH 10.34.0
GHSA-54hh-g5mx-jqcp MEDIUM 10.34.0
GHSA-p4xf-rf54-rj3x MEDIUM 10.34.0
GHSA-q6j5-fjx5-2mc3 MEDIUM 10.34.1
Advisory summaries
  • GHSA-cjhr-43r9-cfmw — pnpm binds unscoped user-level npm auth credentials to a repository-selected registry (Published 2026-05-28)
  • GHSA-hwx4-2j3j-g496 — Transitive dependency alias path traversal allows project path override via symlink replacement (Published 2026-05-28)
  • GHSA-rxhj-4m44-96r4 — Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) (Published 2026-05-28)
  • GHSA-54hh-g5mx-jqcp — Unsafe default behavior breaks integrity check (Published 2026-05-28)
  • GHSA-p4xf-rf54-rj3x — Git Fetch Argument Injection via Lockfile resolution.commit (Published 2026-05-28)
  • GHSA-q6j5-fjx5-2mc3 — Integrity Check Bypass via Missing Lockfile Integrity Field (Published 2026-05-28)

Changes

Old New
Version 10.33.4 10.34.1
SHA256 8e70ddc6649b18bc... b568bc5ee2b68a97...
Size 4.6 MB
Source https://registry.npmjs.org/pnpm/-/pnpm-10.33.4.tgz https://registry.npmjs.org/pnpm/-/pnpm-10.34.1.tgz
  • License: MIT (source: GitHub + tarball)

Quality suggestions

  • Missing tests block. This package has no standalone tests, so the buildbot will only verify compilation — not functional correctness. Consider adding a minimal smoke test (e.g., a --version or small round-trip invocation) as part of this PR so future bumps catch regressions. See packages/python/build.ncl for a simple example.

Created by pkgmgr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants