Skip to content

unintended out-of-scope updates #9992

Description

@Enrice

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

v10.15.0

Which area(s) of pnpm are affected? (leave empty if unsure)

Dependencies resolver

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

We have a bunch of hierarchical CI builds where upstream pipelines build and publish packages that are thereafter being used as dependencies in downstream pipelines packages.

This leads to the necessity to have some automated update mechanism in the downstream builds like so:

pnpm up '@ourpackageprefix/*' -r

Other packages should not be touched by this, as they are pinned by pnpm-lock.yaml - at least that's what I thought.

Describe the Bug

Recently debug@4.4.2 was detected as compromised, which I thought would not be able to affect us, because we explicitly only update OUR packages. But to my great astonishment I realized that we magically had fetched this malicious package into our code.

I identified the following packages to bring in the compromised package (excerpts from the lockfile):

  '@babel/helper-define-polyfill-provider@0.6.5(@babel/core@7.27.7)':
    dependencies:
      '@babel/core': 7.27.7
      '@babel/helper-compilation-targets': 7.27.2
      '@babel/helper-plugin-utils': 7.27.1
      debug: 4.4.2
      lodash.debounce: 4.0.8
      resolve: 1.22.10
    transitivePeerDependencies:
      - supports-color

  istanbul-lib-source-maps@4.0.1:
    dependencies:
      debug: 4.4.2
      istanbul-lib-coverage: 3.2.2
      source-map: 0.6.1
    transitivePeerDependencies:
      - supports-color

  tuf-js@2.2.1:
    dependencies:
      '@tufjs/models': 2.0.1
      debug: 4.4.2
      make-fetch-happen: 13.0.1
    transitivePeerDependencies:
      - supports-color

however still:

  '@babel/core@7.27.7':
    dependencies:
      '@ampproject/remapping': 2.3.0
      '@babel/code-frame': 7.27.1
      '@babel/generator': 7.27.5
      '@babel/helper-compilation-targets': 7.27.2
      '@babel/helper-module-transforms': 7.27.3(@babel/core@7.27.7)
      '@babel/helpers': 7.27.6
      '@babel/parser': 7.27.7
      '@babel/template': 7.27.2
      '@babel/traverse': 7.27.7
      '@babel/types': 7.27.7
      convert-source-map: 2.0.0
      debug: 4.4.1(supports-color@5.5.0)
      gensync: 1.0.0-beta.2
      json5: 2.2.3
      semver: 6.3.1
    transitivePeerDependencies:
      - supports-color

Why is that?

Expected Behavior

Only matching packages should be updated.

Which Node.js version are you using?

22.18.0

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

Rocky 9

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions