mirror of https://github.com/pnpm/pnpm.git synced 2026-04-26 09:57:49 -04:00

Files

Zoltan Kochan 421317c31a feat!: skip npm, npx, and corepack when installing node runtime (#11325 )

## Summary

- pnpm installing a Node.js runtime (`node@runtime:<ver>`, `pnpm env use`, `pnpm runtime set node`) no longer extracts the bundled `npm`, `npx`, and `corepack`. These make up ~2,800 of ~5,800 files in a typical Node.js archive, so skipping them materially reduces hashing, CAS writes, SQLite index inserts, and import/link work.
- Users who still need `npm` can install it as a separate package.

## How

A new optional `ignoreFilePattern` (regex source string, serializable across the worker boundary) threads through `FetchOptions` → `tarball-fetcher` → `@pnpm/worker` → `cafs.addFilesFromTarball`. `cafs.addFilesFromTarball` now accepts a per-call ignore on top of the existing cafs-level `ignoreFile`; the two are combined.

`@pnpm/fetching.binary-fetcher` defines the Node-specific regex and applies it when `opts.pkg.name === 'node'`:

- Tarball path: sets `ignoreFilePattern`.
- Windows zip path: new `ignoreEntry?: RegExp` on `AssetInfo`; `extractZipToTarget` strips the `basename/` prefix and skips matching entries before `zip.extractEntryTo`.

`@pnpm/engine.runtime.node-resolver`'s `getNodeBinsForCurrentOS` drops `npm`/`npx` so pnpm no longer creates shims for bins that no longer exist.

## Breaking change

Shipping in v11. After this lands, `pnpm runtime set node` / `node@runtime:<version>` no longer puts `npm`, `npx`, or `corepack` on `$PATH`. Scripts that call them directly will need to install npm separately.

2026-04-21 13:44:48 +02:00

scripts

fix: prevent path traversal vulnerabilities during ZIP extraction

2026-01-16 20:36:40 +01:00

src

feat!: skip npm, npx, and corepack when installing node runtime (#11325 )

2026-04-21 13:44:48 +02:00

test

feat!: skip npm, npx, and corepack when installing node runtime (#11325 )

2026-04-21 13:44:48 +02:00

CHANGELOG.md

chore(release): 11.0.0-rc.3

2026-04-21 00:17:38 +02:00

package.json

chore(release): drop eslint from lib prepublishOnly (#11320 )

2026-04-21 01:18:03 +02:00

README.md

fix: prevent path traversal vulnerabilities during ZIP extraction

2026-01-16 20:36:40 +01:00

tsconfig.json

refactor: rename packages and consolidate runtime resolvers (#10999 )

2026-03-18 00:19:58 +01:00

tsconfig.lint.json

feat: support installing Deno runtime (#9791 )

2025-07-30 11:27:07 +02:00

README.md

@pnpm/fetching.binary-fetcher

A fetcher for binary archives

Installation

pnpm add @pnpm/fetching.binary-fetcher

Testing

Test Fixtures

The test/fixtures/ directory contains malicious ZIP files for testing path traversal protection:

File	Entry Path	Purpose
`path-traversal.zip`	`../../../.npmrc`	Tests `../` escape sequences
`absolute-path.zip`	`/etc/passwd`	Tests absolute path entries
`backslash-traversal.zip`	`..\..\..\evil.txt`	Tests Windows backslash traversal (Windows-only)

These fixtures are manually crafted because AdmZip's addFile() sanitizes paths automatically.

Note: The backslash test only runs on Windows because \ is a valid filename character on Unix.

Regenerating Fixtures

node --experimental-strip-types scripts/create-fixtures.ts

License

MIT