chore(deps): update pnpm to v7.33.4 [security] #3896
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.28.0
->7.33.4
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2023-37478
Summary
It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives.
Details
The TAR format is an append-only archive format, and as such, the specification for how to update a file is to add a new record to the end with the updated version of the file. This means that it is completely valid for an archive to contain multiple copies of, say,
package.json
, and the expected behavior when extracting is that all versions other than the last get ignored.This is further complicated by that during tarball extraction, all package managers are configured to drop the first path component, so collisions can be created simply by using multiple root folders in the archive, even without performing updates.
When pnpm extracts a tar archive via tar-stream, it appears to extract only the first file of a given name and discards all subsequent files with the same name.
PoC
Create a root folder with the following layout:
a/package.json
package/package.json
z/package.json
File contents:
a/package.json
package/package.json
z/package.json
Then use the tar binary to produce a tarball (working directory is the root folder):
tar -c -z --format ustar -f package.tgz a package z
The order of the folders at the end matters; whichever one is last will end up being the package.json that wins when extracted by npm; the one that is first will be the one that wins when extracted by pnpm.
Install the tarball via the
file:
protocol.Observe that with npm, the lockfile has
react@17
, while with pnpm it hasreact@15
.Impact
This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm.
Release Notes
pnpm/pnpm (pnpm)
v7.33.4
Compare Source
Patch Changes
publishConfig.registry
inpackage.json
for publishing #6775.git ls-remote
, causing a fallback togit+ssh
and resulting in a 'host key verification failed' issue #6805Our Gold Sponsors
Our Silver Sponsors
v7.33.3
Compare Source
Patch Changes
package.json
should not fail, when the dependency is read from cache #6721.Our Gold Sponsors
Our Silver Sponsors
v7.33.2
Compare Source
Patch Changes
node-linker
is set tohoisted
#6680..npmrc
file #6354.pnpm update --global --latest
should work #3779.Our Gold Sponsors
Our Silver Sponsors
v7.33.1
Compare Source
Patch Changes
When
dedupe-peer-dependents
is enabled, use the path (not id) to determine compatibility.When multiple dependency groups can be deduplicated, the latter ones are sorted according to number of peers to allow them to benefit from deduplication.
Resolves: #6605
Change lockfile version back to 6.0 as previous versions of pnpm fail to parse the version correctly.
Our Gold Sponsors
Our Silver Sponsors
v7.33.0
Compare Source
Minor Changes
Some settings influence the structure of the lockfile, so we cannot reuse the lockfile if those settings change. As a result, we need to store such settings in the lockfile. This way we will know with which settings the lockfile has been created.
A new field will now be present in the lockfile:
settings
. It will store the values of two settings:autoInstallPeers
andexcludeLinksFromLockfile
. If someone tries to perform afrozen-lockfile
installation and their active settings don't match the ones in the lockfile, then an error message will be thrown.The lockfile format version is bumped from v6.0 to v6.1.
Related PR: #6557
Related issue: #6312
Patch Changes
npm:foo@1.0.0
becomesnpm:foo@1.1.0
.workspace:
protocol is not found in the workspace #4477.updateConfig.ignoreDependencies
#6548Our Gold Sponsors
Our Silver Sponsors
v7.32.5
Compare Source
Patch Changes
pnpm rebuild
should not fail whennode-linker
is set tohoisted
and there are skipped optional dependencies #6553.Our Gold Sponsors
Our Silver Sponsors
v7.32.4
Compare Source
Patch Changes
pnpm link -g <pkg-name>
should not modify thepackage.json
file #4341.engines
field should match prerelease versions #6509.pnpm publish --otp
should work #6514.Our Gold Sponsors
Our Silver Sponsors
v7.32.3
Compare Source
Patch Changes
node-linker
is set tohoisted
6486.Our Gold Sponsors
Our Silver Sponsors
v7.32.2
Compare Source
Patch Changes
Our Gold Sponsors
Our Silver Sponsors
v7.32.1
Compare Source
Patch Changes
publishConfig.directory
of an injected workspace dependency does not exist #6396.Our Gold Sponsors
Our Silver Sponsors
v7.32.0
Compare Source
Minor Changes
.npmrc
. This is a convention used by Yarn too.Using
${NAME-fallback}
will returnfallback
ifNAME
isn't set.${NAME:-fallback}
will returnfallback
ifNAME
isn't set, or is an empty string #6018.Patch Changes
pnpm config get <key>
returns empty when the value is a booleanlink:
protocol inpackage.json
.Our Gold Sponsors
Our Silver Sponsors
v7.31.0
Compare Source
Minor Changes
ignore-workspace-cycles
to silence workspace cycle warning #6308.Patch Changes
@yarnpkg/shell
to fix issues in the shell emulator #6320.@
char #6332.Our Gold Sponsors
Our Silver Sponsors
v7.30.5
Compare Source
Patch Changes
pnpm audit
should work even if there are nopackage.json
file, just apnpm-lock.yaml
file.dedupe-peer-dependents
istrue
#6154.Our Gold Sponsors
Our Silver Sponsors
v7.30.4
Compare Source
v7.30.3
Compare Source
Patch Changes
Our Gold Sponsors
Our Silver Sponsors
v7.30.2
Compare Source
v7.30.1
Compare Source
Patch Changes
pnpm-lock.yaml
file if it has no changes andpnpm install --frozen-lockfile
was executed #6158.git+ssh
that use semver selectors #6239.pnpm audit
output #6203Our Gold Sponsors
Our Silver Sponsors
v7.30.0
Compare Source
Minor Changes
patches-dir
setting #6215Patch Changes
Our Gold Sponsors
Our Silver Sponsors
This PR has been generated by Mend Renovate. View repository job log here.