mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-31 03:58:11 -04:00
b8196b82d1
A tampered `pnpm-lock.yaml` that strips the `integrity` field from a tarball resolution let the worker download the URL contents and mint a fresh integrity from the unverified bytes. An attacker who could both alter the lockfile (e.g. via a pull request that drops `integrity:`) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under `--frozen-lockfile`. `pkgSnapshotToResolution` now fails closed at lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY` whenever a tarball-shaped resolution (no `type` field — covers plain remote, registry-derived, `file:`, and `gitHosted` entries) lacks integrity. Git-hosted tarballs and `file:` tarballs remain exempt: the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes. The fix sits at the lockfile-read chokepoint every install path flows through (deps-resolver, deps-restorer, graph-builder), so both isolated and hoisted node-linkers are covered. Credit to AutoFyn for finding and reporting the issue.