mirror of https://github.com/pnpm/pnpm.git synced 2026-03-27 03:21:55 -04:00

Files

Zoltan Kochan 1c8c4e49f5 style: add eslint-plugin-simple-import-sort (#10947 )

Add eslint-plugin-simple-import-sort to enforce consistent import ordering:
- Node.js builtins first
- External packages second
- Relative imports last
- Named imports sorted alphabetically within each statement

2026-03-13 02:02:38 +01:00

scripts

fix: prevent path traversal vulnerabilities during ZIP extraction

2026-01-16 20:36:40 +01:00

src

style: add eslint-plugin-simple-import-sort (#10947 )

2026-03-13 02:02:38 +01:00

test

style: add eslint-plugin-simple-import-sort (#10947 )

2026-03-13 02:02:38 +01:00

CHANGELOG.md

chore(release): 10.19.0

2025-10-21 15:30:20 +02:00

package.json

feat: use SQLite for storing package index in the content-addressable store (#10827 )

2026-03-06 12:59:04 +01:00

README.md

fix: prevent path traversal vulnerabilities during ZIP extraction

2026-01-16 20:36:40 +01:00

tsconfig.json

feat: use SQLite for storing package index in the content-addressable store (#10827 )

2026-03-06 12:59:04 +01:00

tsconfig.lint.json

feat: support installing Deno runtime (#9791 )

2025-07-30 11:27:07 +02:00

README.md

@pnpm/fetching.binary-fetcher

A fetcher for binary archives

Installation

pnpm add @pnpm/fetching.binary-fetcher

Testing

Test Fixtures

The test/fixtures/ directory contains malicious ZIP files for testing path traversal protection:

File	Entry Path	Purpose
`path-traversal.zip`	`../../../.npmrc`	Tests `../` escape sequences
`absolute-path.zip`	`/etc/passwd`	Tests absolute path entries
`backslash-traversal.zip`	`..\..\..\evil.txt`	Tests Windows backslash traversal (Windows-only)

These fixtures are manually crafted because AdmZip's addFile() sanitizes paths automatically.

Note: The backslash test only runs on Windows because \ is a valid filename character on Unix.

Regenerating Fixtures

node --experimental-strip-types scripts/create-fixtures.ts

License

MIT