AIKIDO-2026-10970
pnpm is vulnerable to Insufficient policy enforcement
68
Medium Risk
This Affects:
pnpmTL;DR
When minimumReleaseAge is enabled, pnpm can reuse cached abbreviated registry metadata after a 304 Not Modified response and take a warn-and-skip path that silently bypasses the maturity quarantine instead of re-fetching full metadata with per-version time fields. During npm registry resolution, a super-linear semver-detection regex in 404 hint generation runs against package names derived from project dependencies, allowing CPU exhaustion from crafted names in untrusted lockfiles or manifests. Manifest dependency add and remove paths could also perform dynamic writes or deletes on keys such as __proto__ without own-property guards. The patch re-fetches and persists full metadata for release-age checks, replaces the regex with an O(n) suffix parser, and hardens manifest writes with Object.defineProperty and Object.hasOwn checks.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
pnpm is vulnerable to Insufficient policy enforcement in versions 11.0.0 - 11.1.1.
How to fix this
Upgrade the pnpm library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant