`os.tmpdir()` on GitHub's Windows runners returns the 8.3 short-name form
of the user-profile directory (e.g. `C:\Users\RUNNER~1\AppData\Local\Temp`)
because `runneradmin` is longer than 8 characters. The `~` then trips the
`quoteShellArg` allowlist regex and every test that calls `sendLineScript`
or `generateSendStdinScript` throws "Unsupported character in shell argument".
The tilde is safe to allow:
- cmd.exe performs no tilde expansion at all.
- POSIX shells only expand `~` when it is unquoted at the start of a word;
inside the double-quoted `"${arg}"` wrapper produced here it is literal.
The matching CodeQL shell-injection sanitization argument is unchanged —
the allowlist is still anchored and still rejects every metacharacter.
The bug was masked until #11659 because the Windows test legs had been
silently no-op'ing since #11608.
---
Written by an agent (Claude Code, claude-opus-4-7).
Resolves the 15 open alerts on https://github.com/pnpm/pnpm/security/code-scanning by addressing all four categories that CodeQL flagged.
### Prototype-polluting assignment (3 alerts, product code)
- `pkg-manifest/utils/src/convertEnginesRuntimeToDependencies.ts`: the inner write now dispatches over a literal `switch` on `runtimeName`, so the assignment is always keyed by `'node' | 'deno' | 'bun'`.
- `pkg-manifest/utils/src/updateProjectManifestObject.ts`: added an `isProtoPollutionKey` barrier at the top of the loop so `packageSpec.alias` can never reach the dynamic property write with `__proto__` / `constructor` / `prototype`.
- `installing/deps-installer/src/uninstall/removeDeps.ts`: the package list is filtered through `isProtoPollutionKey` once up front, and the dependency record is captured into a local before the loop.
### Polynomial ReDoS (2 alerts)
- `deps/inspection/list/src/renderDependentsTree.ts`: `replace(/\n+$/, '')` swapped for a constant-time `charCodeAt` trim.
- `resolving/npm-resolver/src/fetch.ts`: removed the super-linear-backtracking `semverRegex` and replaced it with an O(n) `stripTrailingSemverSuffix` that splits on the rightmost `@` and `semver.valid`s, with a digit-block fallback so `foo1.0.0`-style names still produce the existing "Did you mean foo?" hint.
### Bad code sanitization (8 alerts, test infrastructure)
- `__utils__/test-ipc-server/src/TestIpcServer.ts`: the `JSON.stringify(...).slice(1, -1)` smell at the source of all 8 test-file alerts is gone. Both `sendLineScript` and `generateSendStdinScript` now build the JS source with plain `JSON.stringify` and delegate shell wrapping to a new `wrapNodeEval` helper that escapes `\\` and `"` for the outer double-quoted shell argument.
### Incomplete sanitization (2 alerts, test file)
- `releasing/commands/test/publish/oidcProvenance.test.ts`: `.replace('/', '%2f')` → `.replaceAll(...)` on both flagged lines.
Add eslint-plugin-simple-import-sort to enforce consistent import ordering:
- Node.js builtins first
- External packages second
- Relative imports last
- Named imports sorted alphabetically within each statement
* test: create new @pnpm/test-ipc-server private util package
* test: use @pnpm/test-ipc-server for previously refactored tests
* test: use @pnpm/test-ipc-server for tests using json-append
* test: change how --no-bail is passed to avoid passing it to scripts
This test began failing after the conversion to use
`@pnpm/test-echo-server` since the `--no-bail` script was being passed
to scripts.
Changing how --no-bail is configured to fix this test.
* test: use @pnpm/test-ipc-server in exec/lifecycle fixture tests
* test: use @pnpm/test-ipc-server in pkg-manager/headless fixture tests
* test: use @pnpm/test-ipc-server in exec/prepare-package fixture tests
* test: switch pnpm test from json-append to @pnpm.e2e/hello-world-js-bin
* test: fix and re-enable 'rebuild multiple packages in correct order'
The pnpm-workspace.yaml file didn't contain all packages, causing:
```
2023-12-22T02:24:46.2277155Z FAIL test/recursive.ts
2023-12-22T02:24:46.2277881Z ● rebuild multiple packages in correct order
2023-12-22T02:24:46.2278348Z
2023-12-22T02:24:46.2278734Z expect(received).toStrictEqual(expected) // deep equality
2023-12-22T02:24:46.2279302Z
2023-12-22T02:24:46.2279517Z - Expected - 1
2023-12-22T02:24:46.2279932Z + Received + 0
2023-12-22T02:24:46.2280186Z
2023-12-22T02:24:46.2280791Z Array [
2023-12-22T02:24:46.2281256Z "project-1",
2023-12-22T02:24:46.2281733Z - "project-2",
2023-12-22T02:24:46.2282135Z ]
2023-12-22T02:24:46.2282334Z
2023-12-22T02:24:46.2282475Z 216 | }, [])
2023-12-22T02:24:46.2282870Z 217 |
2023-12-22T02:24:46.2283788Z > 218 | expect(server1.getMessages()).toStrictEqual(['project-1', 'project-2'])
2023-12-22T02:24:46.2284725Z | ^
2023-12-22T02:24:46.2285802Z 219 | expect(server2.getMessages()).toStrictEqual(['project-1', 'project-3'])
2023-12-22T02:24:46.2286683Z 220 | })
2023-12-22T02:24:46.2287049Z 221 |
2023-12-22T02:24:46.2287269Z
2023-12-22T02:24:46.2287588Z at Object.<anonymous> (test/recursive.ts:218:33)
```
