Verify latest release
pnpm version
v10.15.0
Which area(s) of pnpm are affected? (leave empty if unsure)
Dependencies resolver
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
We have a bunch of hierarchical CI builds where upstream pipelines build and publish packages that are thereafter being used as dependencies in downstream pipelines packages.
This leads to the necessity to have some automated update mechanism in the downstream builds like so:
pnpm up '@ourpackageprefix/*' -r
Other packages should not be touched by this, as they are pinned by pnpm-lock.yaml - at least that's what I thought.
Describe the Bug
Recently debug@4.4.2 was detected as compromised, which I thought would not be able to affect us, because we explicitly only update OUR packages. But to my great astonishment I realized that we magically had fetched this malicious package into our code.
I identified the following packages to bring in the compromised package (excerpts from the lockfile):
'@babel/helper-define-polyfill-provider@0.6.5(@babel/core@7.27.7)':
dependencies:
'@babel/core': 7.27.7
'@babel/helper-compilation-targets': 7.27.2
'@babel/helper-plugin-utils': 7.27.1
debug: 4.4.2
lodash.debounce: 4.0.8
resolve: 1.22.10
transitivePeerDependencies:
- supports-color
istanbul-lib-source-maps@4.0.1:
dependencies:
debug: 4.4.2
istanbul-lib-coverage: 3.2.2
source-map: 0.6.1
transitivePeerDependencies:
- supports-color
tuf-js@2.2.1:
dependencies:
'@tufjs/models': 2.0.1
debug: 4.4.2
make-fetch-happen: 13.0.1
transitivePeerDependencies:
- supports-color
however still:
'@babel/core@7.27.7':
dependencies:
'@ampproject/remapping': 2.3.0
'@babel/code-frame': 7.27.1
'@babel/generator': 7.27.5
'@babel/helper-compilation-targets': 7.27.2
'@babel/helper-module-transforms': 7.27.3(@babel/core@7.27.7)
'@babel/helpers': 7.27.6
'@babel/parser': 7.27.7
'@babel/template': 7.27.2
'@babel/traverse': 7.27.7
'@babel/types': 7.27.7
convert-source-map: 2.0.0
debug: 4.4.1(supports-color@5.5.0)
gensync: 1.0.0-beta.2
json5: 2.2.3
semver: 6.3.1
transitivePeerDependencies:
- supports-color
Why is that?
Expected Behavior
Only matching packages should be updated.
Which Node.js version are you using?
22.18.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Rocky 9
Verify latest release
pnpm version
v10.15.0
Which area(s) of pnpm are affected? (leave empty if unsure)
Dependencies resolver
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
We have a bunch of hierarchical CI builds where upstream pipelines build and publish packages that are thereafter being used as dependencies in downstream pipelines packages.
This leads to the necessity to have some automated update mechanism in the downstream builds like so:
pnpm up '@ourpackageprefix/*' -rOther packages should not be touched by this, as they are pinned by pnpm-lock.yaml - at least that's what I thought.
Describe the Bug
Recently
debug@4.4.2was detected as compromised, which I thought would not be able to affect us, because we explicitly only update OUR packages. But to my great astonishment I realized that we magically had fetched this malicious package into our code.I identified the following packages to bring in the compromised package (excerpts from the lockfile):
however still:
Why is that?
Expected Behavior
Only matching packages should be updated.
Which Node.js version are you using?
22.18.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Rocky 9