Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
🧰 Additional context used📓 Path-based instructions (2)**/*.{ts,tsx,js,jsx}📄 CodeRabbit inference engine (AGENTS.md)
Files:
**/*.test.{ts,tsx}📄 CodeRabbit inference engine (AGENTS.md)
Files:
🧠 Learnings (4)📚 Learning: 2026-05-14T09:04:00.133ZApplied to files:
📚 Learning: 2026-06-05T13:47:05.929ZApplied to files:
📚 Learning: 2026-06-05T13:47:26.046ZApplied to files:
📚 Learning: 2026-05-26T21:01:06.666ZApplied to files:
🔇 Additional comments (2)
📝 WalkthroughWalkthroughThis PR hardens ChangesPatch-remove security hardening
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install timed out. The project may have too many dependencies for the sandbox. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoContain pnpm patch-remove deletions to the configured patches directory WalkthroughsDescription• Reject patch removals that escape the configured patches directory (including via symlinks). • Validate the full removal batch before unlinking any patch file. • Add targeted tests for traversal, symlink cases, and missing-file no-ops. Diagramgraph TD
A["pnpm patch-remove"] --> B["Get removal context"] --> C["Compute targets + validate"] --> D["Unlink patch files"] --> E["Prune empty patch dirs"] --> F["Update patchedDependencies"] --> G["install.handler (reinstall)"]
High-Level AssessmentThe following are alternative approaches to this PR: 1. Resolve realpath of the patch file and enforce containment on that
2. Restrict allowed patchFile values to normalized relative paths at write-time
Recommendation: Keep the PR’s approach: it validates both the configured patchesDir (including realpath when present) and each removal target via path-based containment plus realpath checks on parent directories, while using lstat+unlink to ensure final symlinks are removed without following targets. This balances security (blocking traversal/symlink escapes) with correct behavior for dangling links and missing files. File ChangesBug fix (2)
Tests (2)
Documentation (1)
|
…12504) Backports three merged security fixes from main to release/10: - Contain hoisted dependency aliases so a crafted lockfile alias cannot escape node_modules or overwrite pnpm-owned layout. The hoisted graph builder now validates each alias at the safeJoinModulesDir sink. (GHSA-fr4h-3cph-29xv, #12343) - Contain pnpm patch-remove deletions to the configured patches directory. (#12341) - Reject path-traversal config dependency names and versions from pnpm-workspace.yaml before they are used to build filesystem paths. (GHSA-qrv3-253h-g69c, #12470) Written by an agent (Claude Code, claude-opus-4-8).
Summary
pnpm patch-removedeletions to the configured patches directory.@pnpm/patching.commandsandpnpm.Validation
PNPR_PREPARE_BIN=/Users/zoltan/.cargo_shared_target/debug/pnpr-prepare PNPR_BIN=/Users/zoltan/.cargo_shared_target/debug/pnpr pnpm --filter @pnpm/patching.commands test test/isSubdirectory.test.ts test/patchRemove.test.tsPNPR_PREPARE_BIN=/Users/zoltan/.cargo_shared_target/debug/pnpr-prepare PNPR_BIN=/Users/zoltan/.cargo_shared_target/debug/pnpr pnpm --filter @pnpm/patching.commands test test/patch.test.ts -t patch-removepnpm --filter @pnpm/patching.commands run compilegit diff --checkvuln-030topnpm/pnpm; Rust checks were skipped because there are nopacquet/orpnpr/changes.Pacquet
No Rust-side parity change is included because
patch-removeis not in pacquet's current command surface.Written by an agent (Codex, GPT-5).
Summary by CodeRabbit
Bug Fixes
pnpm patch-removenow validates that patch file paths remain within the configured patches directory, preventing accidental deletion of files outside the patches scope.Tests