VulnerableCode Package Details - pkg:npm/pnpm@10.26.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-che8-5n7s-sqeq	pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.	CVE-2025-69263 GHSA-7vhp-vf5g-r2fw
VCID-g6u9-b6us-fuhq	pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.	CVE-2025-69264 GHSA-379q-355j-w6rj

Vulnerability

Summary

Aliases

VCID-che8-5n7s-sqeq

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.

CVE-2025-69263
GHSA-7vhp-vf5g-r2fw

VCID-g6u9-b6us-fuhq

pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.

CVE-2025-69264
GHSA-379q-355j-w6rj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T15:49:57.466329+00:00	GitLab Importer	Fixing	VCID-g6u9-b6us-fuhq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2025-69264.yml	38.6.0
2026-06-12T15:49:57.193992+00:00	GitLab Importer	Fixing	VCID-che8-5n7s-sqeq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/pnpm/CVE-2025-69263.yml	38.6.0
2026-06-12T07:47:03.754598+00:00	GithubOSV Importer	Fixing	VCID-che8-5n7s-sqeq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7vhp-vf5g-r2fw/GHSA-7vhp-vf5g-r2fw.json	38.6.0
2026-06-12T07:47:02.838576+00:00	GithubOSV Importer	Fixing	VCID-g6u9-b6us-fuhq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-379q-355j-w6rj/GHSA-379q-355j-w6rj.json	38.6.0
2026-06-11T20:37:13.677117+00:00	GHSA Importer	Fixing	VCID-g6u9-b6us-fuhq	https://github.com/advisories/GHSA-379q-355j-w6rj	38.6.0
2026-06-11T20:37:13.644684+00:00	GHSA Importer	Fixing	VCID-che8-5n7s-sqeq	https://github.com/advisories/GHSA-7vhp-vf5g-r2fw	38.6.0