pnpm node_modules NTFS junctions cause catastrophic data loss when directories are deleted with Remove-Item -Recurse -Force or rm -rf on Windows — real-world incident report

[panchito05]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

No response

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

1. Create a pnpm monorepo on Windows (NTFS filesystem)
2. 2. Add git worktrees: git worktree add ./variant-a + git worktree add ./variant-b
3. 3. Run pnpm install inside the worktrees — pnpm creates NTFS junctions in node_modules pointing to the main repo packages and global pnpm store
4. 4. Delete the worktree directory using PowerShell: `Remove-Item -Recurs1. Create a pnpm monorepo on Windows (NTFS filesystem)
5. 2. Add git worktrees: git worktree add ./variant-a + git worktree add ./variant-b
6. 3. Run pnpm install inside the worktrees — pnpm creates NTFS junctions in node_modules pointing to the main repo packages and the global pnpm store
7. 4. Delete the worktree directory using either:
8. • PowerShell: Remove-Item -Recurse -Force ./variant-a
9. • Git Bash/MSYS: rm -rf ./variant-a
10. 5. PowerShell/MSYS follows the NTFS junctions inside node_modules → deletes REAL target directories outside the worktree
11. 6. Catastrophic data loss — Windows user profile folders, source code, other projects permanently deleted. Recycle Bin bypassed.e -Force ./variant-a`
12. OR using Git Bash/MSYS: rm -rf ./variant-a
13. 5. PowerShell/MSYS follows the NTFS junctions inside node_modules → deletes REAL target directories
14. 6. Catastrophic deletion outside the target directory — user profile folders, other projects, etc.

Describe the Bug

Real-world incident — February 26, 2026. Two users lost their entire Windows user profiles on the same day.

pnpm uses NTFS junctions (directory reparse points) on Windows to link packages in node_modules to the global store and between workspaces. This is by design for performance, but creates a catastrophic danger: standard recursive deletion commands (Remove-Item -Recurse -Force in PowerShell, rm -rf in Git Bash/MSYS) follow these junctions into their real targets and delete files outside the intended directory.

Actual data lost (my incident):

• C:\Users\wilbe\Documents\, Downloads\, Music\, Pictures\, Videos\, Favorites\ — ALL PERMANENTLY DELETED
• • Monorepo source code, 2 unpushed git commits, uncommitted work — GONE
• • • Windows Recycle Bin completely bypassed
      Second victim same day: [BUG] Claude Code v2.1.58 deleted entire Windows user profile (C:\Users\msafa) - CRITICAL DATA LOSS anthropics/claude-code#29023 — user msafakaraca lost their entire C:\Users\msafa\ profile including a production SaaS application serving 50+ tax clients.

This was triggered by Claude Code CLI, which executed Remove-Item -Recurse -Force on git worktrees without knowing about this danger.

Known PowerShell bugs: PowerShell/PowerShell#16664, #19714 (both OPEN), git-for-windows/git#607
Deleting a pnpm worktree directory should only delete files within that directory. Junction points in node_modules should be removed as links, NOT followed into their real target directories. The behavior should be identical to cmd.exe /c "rmdir /S /Q <path>" which correctly handles this.
Request for pnpm:

1. Add a prominent WARNING in Windows documentation about this danger
2. 2. Document the safe deletion method: cmd.exe /c "rmdir /S /Q <path>"
3. 3. Consider adding a pnpm worktree remove or pnpm clean command that safely removes node_modules on Windows
4. 4. Consider using symlinks instead of junctions where possible (PowerShell handles symlinks correctly)
      Related issues: Remove-Item -Recurse -Force follows NTFS junctions in node_modules (pnpm), deleting real files outside the target directory — catastrophic data loss PowerShell/PowerShell#26913, [MODEL] Claude Code CLI executed Remove-Item -Recurse -Force on pnpm worktrees, triggering catastrophic NTFS junction traversal — permanent deletion of user profile folders and source code anthropics/claude-code#29249, #29023, #29082

Expected Behavior

Deleting a directory containing pnpm node_modules should ONLY delete files within that directory. NTFS junction points should be removed as links (the junction itself), NOT followed into their real target directories. Safe method: cmd.exe /c "rmdir /S /Q <path>"

Which Node.js version are you using?

20.x (exact version not recorded at time of incident)

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

[zkochan]

We can add a pnpm clean command. Related issue: #6816