`os.tmpdir()` on GitHub's Windows runners returns the 8.3 short-name form
of the user-profile directory (e.g. `C:\Users\RUNNER~1\AppData\Local\Temp`)
because `runneradmin` is longer than 8 characters. The `~` then trips the
`quoteShellArg` allowlist regex and every test that calls `sendLineScript`
or `generateSendStdinScript` throws "Unsupported character in shell argument".
The tilde is safe to allow:
- cmd.exe performs no tilde expansion at all.
- POSIX shells only expand `~` when it is unquoted at the start of a word;
inside the double-quoted `"${arg}"` wrapper produced here it is literal.
The matching CodeQL shell-injection sanitization argument is unchanged —
the allowlist is still anchored and still rejects every metacharacter.
The bug was masked until #11659 because the Windows test legs had been
silently no-op'ing since #11608.
---
Written by an agent (Claude Code, claude-opus-4-7).
Resolves the 15 open alerts on https://github.com/pnpm/pnpm/security/code-scanning by addressing all four categories that CodeQL flagged.
### Prototype-polluting assignment (3 alerts, product code)
- `pkg-manifest/utils/src/convertEnginesRuntimeToDependencies.ts`: the inner write now dispatches over a literal `switch` on `runtimeName`, so the assignment is always keyed by `'node' | 'deno' | 'bun'`.
- `pkg-manifest/utils/src/updateProjectManifestObject.ts`: added an `isProtoPollutionKey` barrier at the top of the loop so `packageSpec.alias` can never reach the dynamic property write with `__proto__` / `constructor` / `prototype`.
- `installing/deps-installer/src/uninstall/removeDeps.ts`: the package list is filtered through `isProtoPollutionKey` once up front, and the dependency record is captured into a local before the loop.
### Polynomial ReDoS (2 alerts)
- `deps/inspection/list/src/renderDependentsTree.ts`: `replace(/\n+$/, '')` swapped for a constant-time `charCodeAt` trim.
- `resolving/npm-resolver/src/fetch.ts`: removed the super-linear-backtracking `semverRegex` and replaced it with an O(n) `stripTrailingSemverSuffix` that splits on the rightmost `@` and `semver.valid`s, with a digit-block fallback so `foo1.0.0`-style names still produce the existing "Did you mean foo?" hint.
### Bad code sanitization (8 alerts, test infrastructure)
- `__utils__/test-ipc-server/src/TestIpcServer.ts`: the `JSON.stringify(...).slice(1, -1)` smell at the source of all 8 test-file alerts is gone. Both `sendLineScript` and `generateSendStdinScript` now build the JS source with plain `JSON.stringify` and delegate shell wrapping to a new `wrapNodeEval` helper that escapes `\\` and `"` for the outer double-quoted shell argument.
### Incomplete sanitization (2 alerts, test file)
- `releasing/commands/test/publish/oidcProvenance.test.ts`: `.replace('/', '%2f')` → `.replaceAll(...)` on both flagged lines.
* chore: upgrade @typescript/native-preview to 7.0.0-dev.20260421.2
- Add explicit `types: ["node"]` to the shared tsconfig because tsgo
20260421 no longer auto-acquires `@types/*` from `node_modules`.
- Refactor test files to explicitly import jest globals (`describe`,
`it`, `test`, `expect`, `beforeEach`, etc.) from `@jest/globals`
instead of relying on `@types/jest` ambient declarations. Under the
new tsgo build, `import { jest } from '@jest/globals'` shadows the
ambient `jest` namespace, breaking `@types/jest`'s `declare var
describe: jest.Describe;` globals.
- Add `@jest/globals` to each package's devDependencies where tests
now import from it, and add `@types/node` to packages that need it
but were relying on hoisted resolution.
- Replace `fail()` calls with `throw new Error(...)` since `fail` is
no longer globally available.
* chore: fix remaining tsgo type-strictness errors
- Strip `as <PnpmType>` casts on objects passed to toMatchObject /
toStrictEqual / toEqual; @jest/globals rejects the typed objects
(which include AsymmetricMatchers) vs. the repo-specific type.
- Type `jest.fn<...>()` explicitly where the mock's signature matters
for toHaveBeenCalledWith.
- Replace `beforeEach(() => X)` with `beforeEach(() => { X })` so the
return value is void, as the stricter jest typing requires.
- Use `expect.objectContaining({...})` in one place where the full
expected object triggered stricter type resolution.
- Cast `prompt.mock.calls` arg through `as unknown as Record<...>[]`
for patch.test.ts's nested-array matchers.
- Fix off-by-one `<reference path>` in pnpm/test/getConfig.test.ts
that only surfaced now.
- Move `@jest/globals` from devDependencies to dependencies in the
two `__utils__` packages that import it from `src/`.
- Clean up unused imports from the @jest/globals migration.
* chore: address Copilot review on #11332
- Move misplaced `@jest/globals` imports to the top import block in
checkEngine, run.ts, and workspace/root-finder tests where the
script dropped them below executable code.
- Replace `try { await x(); throw new Error('should have thrown') } catch`
in bins/linker, lockfile/fs, and resolving/local-resolver tests with
`await expect(x()).rejects.toMatchObject({...})`. The old pattern
swallowed an unrelated `throw` if the under-test call silently
succeeded, which would fail on the catch-block assertion with a
misleading message.
Packages whose tests spawn the local pnpm CLI (pnpm/bin/pnpm.mjs) need
the bundle (pnpm/dist/pnpm.mjs) to exist. Add `pnpm --filter pnpm run
compile` to their test scripts so the bundle is built before tests run.
Add n/prefer-node-protocol rule and autofix all bare builtin imports
to use the node: prefix. Simplify the simple-import-sort builtins
pattern to just ^node: since all imports now use the prefix.
Add eslint-plugin-simple-import-sort to enforce consistent import ordering:
- Node.js builtins first
- External packages second
- Relative imports last
- Named imports sorted alphabetically within each statement
Update all packages from zkochan/packages to their latest major versions
and exclude them from minimumReleaseAge requirement. This includes
updating catalog entries, adapting to breaking API changes (default
exports replaced with named exports, sync functions renamed with Sync
suffix), and updating type declarations.
* refactor: store link values before converting to references
* fix: use .sort() without localeCompare
https://github.com/pnpm/pnpm/pull/8128#discussion_r1614031566
> Nit, but you probably just want to call sort without a comparison
> function; these are already strings and locale compare is not a good
> comparison for anything but human readable strings since it will
> differ on different people's machines based on their language setting.
> I've hit this too many times before for code gen.
* feat: configure meta-updater to write test/tsconfig.json files
* fix: relative imports for __typings__
* chore: `pnpm run meta-updater`
* fix: explicitly use test/tsconfig.json for ts-jest
* test: create new @pnpm/test-ipc-server private util package
* test: use @pnpm/test-ipc-server for previously refactored tests
* test: use @pnpm/test-ipc-server for tests using json-append
* test: change how --no-bail is passed to avoid passing it to scripts
This test began failing after the conversion to use
`@pnpm/test-echo-server` since the `--no-bail` script was being passed
to scripts.
Changing how --no-bail is configured to fix this test.
* test: use @pnpm/test-ipc-server in exec/lifecycle fixture tests
* test: use @pnpm/test-ipc-server in pkg-manager/headless fixture tests
* test: use @pnpm/test-ipc-server in exec/prepare-package fixture tests
* test: switch pnpm test from json-append to @pnpm.e2e/hello-world-js-bin
* test: fix and re-enable 'rebuild multiple packages in correct order'
The pnpm-workspace.yaml file didn't contain all packages, causing:
```
2023-12-22T02:24:46.2277155Z FAIL test/recursive.ts
2023-12-22T02:24:46.2277881Z ● rebuild multiple packages in correct order
2023-12-22T02:24:46.2278348Z
2023-12-22T02:24:46.2278734Z expect(received).toStrictEqual(expected) // deep equality
2023-12-22T02:24:46.2279302Z
2023-12-22T02:24:46.2279517Z - Expected - 1
2023-12-22T02:24:46.2279932Z + Received + 0
2023-12-22T02:24:46.2280186Z
2023-12-22T02:24:46.2280791Z Array [
2023-12-22T02:24:46.2281256Z "project-1",
2023-12-22T02:24:46.2281733Z - "project-2",
2023-12-22T02:24:46.2282135Z ]
2023-12-22T02:24:46.2282334Z
2023-12-22T02:24:46.2282475Z 216 | }, [])
2023-12-22T02:24:46.2282870Z 217 |
2023-12-22T02:24:46.2283788Z > 218 | expect(server1.getMessages()).toStrictEqual(['project-1', 'project-2'])
2023-12-22T02:24:46.2284725Z | ^
2023-12-22T02:24:46.2285802Z 219 | expect(server2.getMessages()).toStrictEqual(['project-1', 'project-3'])
2023-12-22T02:24:46.2286683Z 220 | })
2023-12-22T02:24:46.2287049Z 221 |
2023-12-22T02:24:46.2287269Z
2023-12-22T02:24:46.2287588Z at Object.<anonymous> (test/recursive.ts:218:33)
```
