pnpm 10.28.2

Security Fixes

Path traversal prevention in directories.bin — prevents malicious packages from exploiting bin directory traversal
Symlink validation for file: and git: dependencies — symlinks pointing outside package root are now skipped, preventing exfiltration of sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) into node_modules

Optional dependencies now request full registry metadata to retrieve the libc field for correct platform compatibility checks (#9950)

Security fix: prevent path traversal in directories.bin field.
When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.
Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #9950.

Path traversal prevention in directories.bin — prevents malicious packages from exploiting bin directory traversal
Symlink validation for file: and git: dependencies — symlinks pointing outside package root are now skipped, preventing exfiltration of sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) into node_modules

Optional dependencies now request full registry metadata to retrieve the libc field for correct platform compatibility checks (#9950)

Security fix: prevent path traversal in directories.bin field.
When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.
Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #9950.