Commit Graph

1399 Commits

Author SHA1 Message Date
Zoltan Kochan
c452019ac0 fix(security): port the latest security fixes to v10 (#12300)
* fix(package-bins): reject reserved manifest bin names

Manifest bin keys "", ".", "..", and scoped forms such as "@scope/.."
passed the bin-name guard because encodeURIComponent leaves them
unchanged. When joined to the global bin directory during global
remove/update/add operations, "." resolves to the bin directory itself
and ".." to its parent, which removeBin then recursively deletes.

Reject empty, ".", and ".." bin names after scope stripping.

Backport of pnpm/pnpm#12289 to v10.

* fix: block untrusted request destination env expansion

Makes environment expansion trust-aware for registry/auth config and
request destinations:

- Stops project and workspace .npmrc files from expanding ${...}
  placeholders in registry/proxy request destinations, URL-scoped keys,
  and registry credential values.
- Stops repository-controlled pnpm-workspace.yaml from expanding
  ${...} placeholders in the registry setting.
- Preserves env expansion for trusted user/global/CLI/env config so
  existing token and registry setup flows continue to work.

Backport of pnpm/pnpm#12291 (CAND-PNPM-122 / GHSA-3qhv-2rgh-x77r) to v10.

* fix(security): verify npm registry signature before spawning a package-manager binary

The packageManager field (and pnpm self-update) makes pnpm download and
run a specific pnpm version. The staged install's bytes were trusted
based on lockfile integrity alone, which proves nothing when the inputs
are repository-controlled.

pnpm now verifies the npm registry signature of the engine it is about
to spawn, over the installed integrity, against npm's public signing
keys embedded in the pnpm CLI (exactly as corepack does):

- verifyPnpmEngineIdentity() checks pnpm/@pnpm/exe and the materialized
  platform binaries of the staged install before it is linked into the
  tools directory.
- Fails closed: any verification failure, including an unreachable
  registry, refuses the version switch rather than running an unverified
  binary. Runs only on a tools-directory cache miss (an actual
  download).
- The embedded keys live in a generated file kept in sync with npm's
  keys endpoint by scripts/update-npm-signing-keys.mjs; the release
  workflow runs the check as a gate so a key rotation cannot silently
  break verification.

Backport of pnpm/pnpm#12292 (CAND-PNPM-097) to v10.

* fix: harden package-manager bootstrap metadata

Resolve package-manager bootstrap traffic through trusted user/CLI
registries and trusted network config, defaulting to the public npm
registry instead of project/workspace registry settings:

- getConfig() now computes packageManagerRegistries and
  packageManagerNetworkConfig from trusted config sources only (CLI
  options, env config, user and global .npmrc) — never the repository's
  project/workspace .npmrc or pnpm-workspace.yaml.
- switchCliVersion() applies that bootstrap config when installing and
  verifying the wanted pnpm version, so repository .npmrc
  proxy/TLS/registry values cannot steer package-manager bootstrap
  traffic.

Backport of pnpm/pnpm#12296 to v10. The v11 env-lockfile validation
parts do not apply: v10 bootstraps the wanted version through a staged
child install instead of an env lockfile.

* fix(security): verify Node.js runtime SHASUMS OpenPGP signature

When a repository requests a Node.js runtime (useNodeVersion or an
execution env), pnpm downloads and then executes a Node binary. The
download mirror is repository-configurable via node-mirror:<channel> in
project .npmrc, and the integrity came from SHASUMS256.txt fetched from
that same mirror — a circular check a malicious mirror can satisfy with
a tampered binary and matching hashes.

pnpm now fetches SHASUMS256.txt.sig and verifies its detached OpenPGP
signature against the Node.js release team's public keys, embedded in
the pnpm CLI, before trusting the hashes:

- @pnpm/crypto.shasums-file: new fetchVerifiedNodeShasums /
  fetchVerifiedNodeShasumsFile verify the signature via openpgp against
  the embedded keys (generated src/nodeReleaseKeys.ts, mirrored from
  the canonical nodejs/release-keys list).
- @pnpm/node.fetcher verifies the configurable-mirror SHASUMS for the
  release channel; pre-release channels (rc, nightly, ...) are unsigned
  by Node and remain unverified.
- scripts/update-node-release-keys.mjs keeps the keys current
  (pnpm run check:node-release-keys / update:node-release-keys), and
  the release workflow runs the check as a gate.

Backport of pnpm/pnpm#12295 to v10 (without the pacquet Rust port,
which does not exist on this branch).

* test(env): sign the SHASUMS fixture for Node.js download tests

The Node.js download tests exercise the release channel, whose
SHASUMS256.txt is now signature-verified. Sign the fixture with a
generated OpenPGP key and trust it through the new
trustedNodeReleaseKeys test seam (threaded from plugin-commands-env via
@pnpm/node.fetcher to fetchVerifiedNodeShasums), so the tests keep
exercising the verification path instead of bypassing it.

* fix(self-updater): redact registry credentials from engine identity errors

Registry URLs may legally embed basic-auth credentials
(https://user:pass@host/). verifyPnpmEngineIdentity() interpolated the
packument URL and registry URL into PnpmError messages, and the
unreachable-registry path surfaced fetch-layer error messages that embed
the request URL — all of which land in terminal output and CI logs.
Strip URL credentials from every error message and truncate the non-200
response body.

* fix: update vulnerable transitive dependencies

Override shell-quote to >=1.8.4 (GHSA-w7jw-789q-3m8p, critical, pulled
in via concurrently) so the audit workflow passes again. The advisory
was published after the last release/10 audit run; it is unrelated to
the security backports on this branch.
2026-06-10 08:01:14 +02:00
Zoltan Kochan
198fb7c7b6 chore: update branch references after v10 → release/10 rename 2026-05-05 00:18:03 +02:00
Zoltan Kochan
b4ee05e680 chore: publish library packages with latest-10 dist-tag
Now that v11 is stable, library packages from the v10 branch should
publish to the latest-10 tag instead of overwriting latest.
2026-05-04 23:50:54 +02:00
Zoltan Kochan
a288b79ece chore: update pnpm to v10.33.1 2026-04-22 14:41:51 +02:00
Zoltan Kochan
e0de3859cc chore: update pnpm to v10.33.0 2026-04-21 20:24:10 +02:00
Zoltan Kochan
874730fd51 revert: "chore: update pnpm to v11 rc 0"
This reverts commit ee20cffdfc.
2026-04-14 10:31:41 +02:00
Zoltan Kochan
ee20cffdfc chore: update pnpm to v11 rc 0 2026-04-14 10:20:26 +02:00
Zoltan Kochan
be07631710 chore(release): 10.33.0 2026-03-24 17:15:56 +01:00
Zoltan Kochan
cda9b1dc82 fix: update dependencies 2026-03-11 01:52:41 +01:00
Zoltan Kochan
ade261575d chore: update packageManager version to pnpm@10.30.1 2026-02-20 02:22:19 +01:00
Zoltan Kochan
bde2bbf5f6 chore: update pnpm 2026-02-17 16:36:55 +01:00
Zoltan Kochan
9cf78367a1 chore: update pnpm 2026-02-13 16:01:25 +01:00
Zoltan Kochan
c02513b58b chore: update pnpm 2026-02-11 02:17:28 +01:00
Zoltan Kochan
f3cdd01238 chore: update pnpm 2026-02-07 16:49:51 +01:00
Zoltan Kochan
4e15d8c56c chore: update pnpm 2026-01-19 12:39:21 +01:00
Zoltan Kochan
3e70e2e703 docs: add AI agent guides (#10469) 2026-01-16 20:09:05 +01:00
Zoltan Kochan
31a95b0559 chore: update pnpm 2026-01-04 16:46:04 +01:00
Zoltan Kochan
b83d074181 chore: switch to using allowBuilds 2025-12-15 15:11:26 +01:00
Zoltan Kochan
ea5cb619ba ci: run all tests on the v10 branch 2025-10-28 22:00:52 +01:00
Zoltan Kochan
eb4cb0f9e2 chore: update pnpm and minimum release age policy 2025-10-27 11:18:46 +01:00
Zoltan Kochan
fc911657c4 chore: set minimumReleaseAge to 7 days 2025-09-14 01:10:06 +02:00
btea
dc5ce6b0fd chore: remove unused catalog pkg (#9909)
---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2025-08-27 11:54:54 +02:00
btea
a1a7755798 chore: remove --quiet from pnpm lint in test-main and test-branch scripts (#9873) 2025-08-19 14:50:52 +02:00
Zoltan Kochan
ba5f447c83 chore: update registry-mock to v5 2025-08-15 18:20:55 +02:00
Zoltan Kochan
0748be2424 chore: move all dependencies to catalogs 2025-08-15 13:52:24 +02:00
Zoltan Kochan
af2b391278 fix: vulnerabilities 2025-08-06 22:49:21 +02:00
Zoltan Kochan
acf1eabe1a chore: update pnpm to v10.14 2025-07-31 15:49:48 +02:00
liweijie0812
13526e0fef ci(test-branch): git fetch only fetch origin main branch (#9621) 2025-06-10 14:20:30 +02:00
Zoltan Kochan
55a5ca7918 chore: update pnpm and enable global virtual store 2025-06-08 16:24:52 +02:00
Zoltan Kochan
aeb7bc0c3c chore: revert pnpm update 2025-06-08 16:11:54 +02:00
Zoltan Kochan
fe2811e559 chore(release): 10.12.1 2025-06-08 16:03:50 +02:00
Zoltan Kochan
5df0a3ba23 chore: update pnpm to v10.11 2025-05-13 16:45:58 +02:00
Zoltan Kochan
be6a9cc5d9 chore: update pnpm 2025-04-25 16:32:17 +02:00
Zoltan Kochan
1e7349d330 chore: update pnpm to v10.6.5 2025-03-23 13:02:31 +01:00
Zoltan Kochan
4e857ff1b3 revert: "chore: update pnpm to v10.6.4"
This reverts commit 929f8a6139.
2025-03-18 01:40:28 +01:00
Zoltan Kochan
929f8a6139 chore: update pnpm to v10.6.4 2025-03-17 16:08:41 +01:00
Zoltan Kochan
0c5e0ae4a1 chore: update dependencies 2025-03-13 03:07:45 +01:00
Zoltan Kochan
221fe80b94 chore: update pnpm to v10.6.2 2025-03-10 03:52:11 +01:00
Zoltan Kochan
62407a99e3 chore: move settings to pnpm-workspace.yaml 2025-03-06 13:18:07 +01:00
btea
c74bf7d040 chore: add eslint to catalog (#9219) 2025-03-06 10:52:53 +01:00
btea
adb236f1a1 refactor: improve regexp (#9203) 2025-03-02 13:17:09 +01:00
Zoltan Kochan
5e78da2d57 style: order the keys in package.json files 2025-03-01 21:45:13 +01:00
Zoltan Kochan
f394713610 chore: use resolution-mode=lowest-direct 2025-03-01 14:34:00 +01:00
Zoltan Kochan
716c4b727d fix: update rename-overwrite to v6.0.2 2025-02-27 17:51:13 +01:00
Zoltan Kochan
d3591aae02 chore: move overrides to pnpm-workspace.yaml 2025-02-26 14:26:09 +01:00
Zoltan Kochan
2d47f2ecff chore: update pnpm to v10.5.1 2025-02-26 13:15:03 +01:00
Ben McCann
e88216c92f chore: upgrade cspell (#9164)
* chore: upgrade cspell

* chore: fix eslint warning to get past pre-push check

* fix: use lex-comparator for sorting

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2025-02-25 20:22:05 +01:00
Zoltan Kochan
ffddb165ec chore: move pnpm settings to pnpm-workspace.yaml 2025-02-25 13:40:12 +01:00
Zoltan Kochan
b5bb1275e7 chore: update pnpm to v10.5 2025-02-25 13:35:16 +01:00
Zoltan Kochan
0332bfcd81 chore: update pnpm to v10.4.1 2025-02-17 01:23:16 +01:00