mirror of https://github.com/pnpm/pnpm.git synced 2026-03-27 11:31:45 -04:00

Files

Zoltan Kochan 1701a65845 chore: reduce noisy warnings in test output (#11022 )

* chore: reduce noisy warnings in test output

- Suppress ExperimentalWarning and DEP0169 via --disable-warning in NODE_OPTIONS
- Fix MaxListenersExceededWarning by raising limit in StoreIndex when adding exit listeners
- Update meta-updater to generate the new _test scripts

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: stop streaming pnpm subprocess output during CLI tests

Buffer stdout/stderr from execPnpm instead of writing to the parent
process in real time. Output is still included in the error message on
failure.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: pipe all subprocess output in CLI tests

Use stdio: 'pipe' for all pnpm/pnpx spawn helpers so subprocess output
is buffered instead of printed. Output is still included in error
messages on failure.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: remove duplicate @pnpm/installing.env-installer in pnpm/package.json

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: use pipe stdio in dlx and errorHandler tests

Replace stdio: 'inherit' and [null, 'pipe', 'inherit'] with 'pipe' to
prevent subprocess output from leaking into test output.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: skip maxListeners adjustment when set to unlimited (0)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-19 10:43:12 +01:00

scripts

fix: prevent path traversal vulnerabilities during ZIP extraction

2026-01-16 20:36:40 +01:00

src

refactor: rename internal packages to @pnpm/<domain>.<leaf> convention (#10997 )

2026-03-17 21:50:40 +01:00

test

style: enforce node: protocol for builtin imports (#10951 )

2026-03-13 07:59:51 +01:00

CHANGELOG.md

chore(release): 10.19.0

2025-10-21 15:30:20 +02:00

package.json

chore: reduce noisy warnings in test output (#11022 )

2026-03-19 10:43:12 +01:00

README.md

fix: prevent path traversal vulnerabilities during ZIP extraction

2026-01-16 20:36:40 +01:00

tsconfig.json

refactor: rename packages and consolidate runtime resolvers (#10999 )

2026-03-18 00:19:58 +01:00

tsconfig.lint.json

feat: support installing Deno runtime (#9791 )

2025-07-30 11:27:07 +02:00

README.md

@pnpm/fetching.binary-fetcher

A fetcher for binary archives

Installation

pnpm add @pnpm/fetching.binary-fetcher

Testing

Test Fixtures

The test/fixtures/ directory contains malicious ZIP files for testing path traversal protection:

File	Entry Path	Purpose
`path-traversal.zip`	`../../../.npmrc`	Tests `../` escape sequences
`absolute-path.zip`	`/etc/passwd`	Tests absolute path entries
`backslash-traversal.zip`	`..\..\..\evil.txt`	Tests Windows backslash traversal (Windows-only)

These fixtures are manually crafted because AdmZip's addFile() sanitizes paths automatically.

Note: The backslash test only runs on Windows because \ is a valid filename character on Unix.

Regenerating Fixtures

node --experimental-strip-types scripts/create-fixtures.ts

License

MIT