Zoltan Kochan 2067a86e02 fix: reject path-traversal segments in dependency aliases ...

Backport of #11954 to release/10. A transitive registry package can use
a dependency-alias key like `@x/../../../../../.git/hooks` to make
`pnpm install` create a symlink outside the intended `node_modules`
directory, since pnpm passes the alias straight into
`path.join(modulesDir, alias)` without checking that the joined path
stays inside `modulesDir`.

Reject aliases that aren't a valid npm package name at manifest-read
time (both the importer's manifest and every transitive package
manifest) and re-check at the symlink layer as defense in depth, via a
single `safeJoinModulesDir` that throws on escape.

---
Written by an agent (Claude Code, claude-opus-4-7).

2026-05-27 13:24:39 +02:00

..

client

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

core

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

direct-dep-linker

chore(release): 10.28.1

2026-01-19 12:12:58 +01:00

get-context

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

headless

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

hoist

chore(release): 10.33.0

2026-03-24 17:15:56 +01:00

link-bins

chore(release): 10.33.0

2026-03-24 17:15:56 +01:00

modules-cleaner

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

modules-yaml

chore(release): libs

2026-02-17 16:44:04 +01:00

package-bins

chore(release): 10.28.2

2026-01-26 15:17:27 +01:00

package-requester

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

plugin-commands-installation

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

read-projects-context

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

real-hoist

chore(release): 10.33.4

2026-05-06 15:00:18 +02:00

remove-bins

chore(release): 10.33.0

2026-03-24 17:15:56 +01:00

resolve-dependencies

fix: reject path-traversal segments in dependency aliases

2026-05-27 13:24:39 +02:00