mirror of
https://github.com/pnpm/pnpm.git
synced 2026-03-26 19:12:12 -04:00
cd2dc7d481
* fix: ensure PNPM_HOME/bin is in PATH during pnpm setup When upgrading from old pnpm (global bin = PNPM_HOME) to new pnpm (global bin = PNPM_HOME/bin), `pnpm setup` would fail because the spawned `pnpm add -g` checks that the global bin dir is in PATH. Prepend PNPM_HOME/bin to PATH in the spawned process env so the check passes during the transition. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: update pnpm to v11 beta 2 * chore: update pnpm to v11 beta 2 * chore: update pnpm to v11 beta 2 * chore: update pnpm to v11 beta 2 * fix: lint * refactor: rename _-prefixed scripts to .-prefixed scripts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: update root package.json to use .test instead of _test Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: update action-setup --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pnpm/fetching.binary-fetcher
A fetcher for binary archives
Installation
pnpm add @pnpm/fetching.binary-fetcher
Testing
Test Fixtures
The test/fixtures/ directory contains malicious ZIP files for testing path traversal protection:
| File | Entry Path | Purpose |
|---|---|---|
path-traversal.zip |
../../../.npmrc |
Tests ../ escape sequences |
absolute-path.zip |
/etc/passwd |
Tests absolute path entries |
backslash-traversal.zip |
..\..\..\evil.txt |
Tests Windows backslash traversal (Windows-only) |
These fixtures are manually crafted because AdmZip's addFile() sanitizes paths automatically.
Note: The backslash test only runs on Windows because
\is a valid filename character on Unix.
Regenerating Fixtures
node --experimental-strip-types scripts/create-fixtures.ts
License
MIT