Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

pnpm

Ecosystem:
npm
Package URL:
pkg:npm/pnpm
Total PRs:
1,364 Dependabot PRs
Latest PR:
4 days ago
Unique Repositories:
377 repositories
Unique Repos (30 days):
16 repositories
Security Advisories
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
GHSA-6pfh-p556-v868 CVE-2026-23888 MODERATE published 5 months ago • updated 13 days ago
### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction direc...
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
GHSA-xpqm-wm3m-f34h CVE-2026-23890 MODERATE published 5 months ago • updated 13 days ago
### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `n...
pnpm vulnerable to Command Injection via environment variable substitution
GHSA-2phv-j68v-wwqx CVE-2025-69262 HIGH published 5 months ago • updated 9 days ago
## Summary A command injection vulnerability exists in pnpm when using environment variable substitution in `.npmrc` configuration files with `tok...
pnpm has symlink traversal in file:/git dependencies
GHSA-m733-5w8f-5ggw CVE-2026-24056 MODERATE published 5 months ago • updated 13 days ago
### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining...
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
GHSA-8cc4-rfj6-fhg4 CVE-2024-47829 MODERATE published about 1 year ago • updated 14 days ago
The path shortening function is used in pnpm: ``` export function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string { let...
View all 12 advisories
Recent PRs (filtered by: Patch PRs )
RSS Feed Clear filter
build(deps-dev): Bump pnpm from 11.1.2 to 11.1.3

AtCoder-NoviSteps/AtCoderNoviSteps #3567

11.1.2 → 11.1.3 Patch PR
Open 27 days ago 1 comment
AtCoder-NoviSteps
chore(deps): bump the minor-and-patch group across 1 directory with 11 updates

zkorum/agora #1020

10.33.0 → 10.33.2 Patch PR
Open about 1 month ago 2 comments
zkorum
chore(deps): bump pnpm from 10.33.0 to 10.33.2 in /frontend

CreateIntelligens/arcreel360 #7

10.33.0 → 10.33.2 Patch PR
Closed about 2 months ago 2 comments
CreateIntelligens
chore(deps)(deps-dev): bump the development-deps group with 6 updates

brandonlacoste9-tech/flow-guru-web #10

10.33.0 → 10.33.2 Patch PR
Open about 2 months ago 2 comments
brandonlacoste9-tech
Bump pnpm from 10.33.0 to 10.33.2

gflohr/e-invoice-eu #558

10.33.0 → 10.33.2 Patch PR
Open about 2 months ago 2 comments
gflohr
Bump pnpm from 10.32.0 to 10.32.1 in the npm group

poad/github-pull-requester #2650

10.32.0 → 10.32.1 Patch PR
Closed 3 months ago 1 comment
poad
Bump the dev-tools group across 1 directory with 10 updates

cvalentine99/Dang- #33

10.30.1 → 10.30.3 Patch PR
Closed 3 months ago 3 comments
cvalentine99
Bump pnpm from 10.28.0 to 10.28.2 in the npm_and_yarn group across 1 directory

jamilahmedansari/manus-talk-to-my #2

10.28.0 → 10.28.2 Patch PR
Closed 4 months ago 1 comment
jamilahmedansari
Bump the npm group with 16 updates

poad/github-pull-request-auto-merge-enable-action #9685

10.30.2 → 10.30.3 Patch PR
Closed 4 months ago 1 comment
poad
chore(deps): bump pnpm from 10.28.0 to 10.28.2

Trancendos/trancendos-ecosystem #492

10.28.0 → 10.28.2 Patch PR
Open 4 months ago 1 comment
Trancendos
chore(deps)(deps-dev): bump the development-dependencies group across 1 directory with 8 updates

HUA-Labs/HUA-Labs-public #140

10.30.1 → 10.30.2 Patch PR
Open 4 months ago 2 comments
HUA-Labs
Bump the npm group with 2 updates

poad/github-pull-request-auto-merge-enable-action #9667

10.30.1 → 10.30.2 Patch PR
Closed 4 months ago 1 comment
poad
chore(deps): bump the minor-and-patch group in /services/shared-app-api with 5 updates

zkorum/agora #592

10.30.0 → 10.30.1 Patch PR
Open 4 months ago 2 comments
zkorum
Bump pnpm from 10.30.0 to 10.30.1 in the sveltekit group

poad/sveltekit-minimal-example #516

10.30.0 → 10.30.1 Patch PR
Closed 4 months ago 2 comments
poad
chore(deps): bump the minor-and-patch group with 17 updates

sirjamesoffordii/CMC-Go #595

10.29.1 → 10.29.3 Patch PR
Closed 4 months ago 3 comments
sirjamesoffordii
chore(deps)(deps): bump the production-dependencies group with 6 updates

HUA-Labs/HUA-Labs-public #122

10.29.1 → 10.29.3 Patch PR
Open 4 months ago 3 comments
HUA-Labs
chore(deps-dev)(deps-dev): bump the development-dependencies group with 4 updates

skittlz444/walk-to-mordor #243

10.29.1 → 10.29.3 Patch PR
Open 4 months ago 3 comments
skittlz444
Bump the packages group with 19 updates

poad/github-rest-api-executor #354

10.29.2 → 10.29.3 Patch PR
Closed 4 months ago 1 comment
poad
Bump the npm group across 1 directory with 2 updates

poad/aws-cloudformation-stack-status-checker #767

10.29.2 → 10.29.3 Patch PR
Closed 4 months ago 1 comment
poad
Bump the packages group with 8 updates

poad/github-rest-api-executor #352

10.29.1 → 10.29.2 Patch PR
Closed 4 months ago 1 comment
poad
Bump the npm group with 5 updates

poad/vercel-functions-example #415

10.29.1 → 10.29.2 Patch PR
Closed 4 months ago 1 comment
poad
chore(deps): bump the test-versions group across 1 directory with 73 updates

DataDog/dd-trace-js #7462

10.28.0 → 10.28.2 Patch PR
Open 4 months ago 3 comments
DataDog
Bump the npm_and_yarn group across 2 directories with 2 updates

Tattzy25/GOKAFONTA #7

10.28.1 → 10.28.2 Patch PR
Open 4 months ago 1 comment
Tattzy25
chore(deps-dev): bump the minor-version-updates group across 1 directory with 3 updates

gjfLeo/eslint-config #11

10.28.0 → 10.28.2 Patch PR
Closed 4 months ago 1 comment
gjfLeo
chore(deps): bump the test-versions group across 1 directory with 67 updates

DataDog/dd-trace-js #7417

10.28.0 → 10.28.2 Patch PR
Open 4 months ago 2 comments
DataDog
:arrow_up:(deps): Bump the all-dependencies group with 50 updates

StudentTechUsher/stuV1.0 #134

10.28.0 → 10.28.2 Patch PR
Open 4 months ago 2 comments
StudentTechUsher
chore(deps): bump the production-dependencies group across 1 directory with 7 updates

elKevin24/FIX-AI-NEXT #23

10.28.0 → 10.28.2 Patch PR
Open 5 months ago 3 comments
elKevin24
chore(deps-dev): bump pnpm from 10.28.0 to 10.28.2

erikvullings/mithril-ui-form #17

10.28.0 → 10.28.2 Patch PR
Closed 5 months ago 2 comments
erikvullings
Bump pnpm from 10.28.1 to 10.28.2

poad/vercel-functions-example #406

10.28.1 → 10.28.2 Patch PR
Closed 5 months ago 1 comment
poad
chore(deps): bump pnpm from 10.28.1 to 10.28.2 in the npm_and_yarn group across 1 directory

MisskeyIO/misskey #1416

10.28.1 → 10.28.2 Patch PR
Closed 5 months ago 5 comments
MisskeyIO
Bump pnpm from 10.28.1 to 10.28.2

poad/github-pull-requester #2607

10.28.1 → 10.28.2 Patch PR
Closed 5 months ago 1 comment
poad
build(deps): bump pnpm from 10.28.1 to 10.28.2

sainnhe/dotfiles #11

10.28.1 → 10.28.2 Patch PR
Closed 5 months ago 1 comment
sainnhe
chore(deps): bump the test-versions group across 1 directory with 55 updates

DataDog/dd-trace-js #7332

10.28.0 → 10.28.1 Patch PR
Open 5 months ago 3 comments
DataDog
chore(deps): bump the npm-minor group in /frontend with 9 updates

0xReLogic/Zeltra #32

10.28.0 → 10.28.1 Patch PR
Open 5 months ago 2 comments
0xReLogic
Bump the all-dependencies group in /frontend with 8 updates

pkemkes/the-gist-of-it-sec #64

10.28.0 → 10.28.1 Patch PR
Closed 5 months ago 1 comment
pkemkes
chore(deps): bump the production-dependencies group across 1 directory with 5 updates

elKevin24/FIX-AI-NEXT #20

10.28.0 → 10.28.1 Patch PR
Open 5 months ago 3 comments
elKevin24
Bump the npm group with 2 updates

poad/github-pull-requester #2601

10.28.0 → 10.28.1 Patch PR
Closed 5 months ago 1 comment
poad
chore(deps): bump the production-dependencies group across 1 directory with 2 updates

elKevin24/FIX-AI-NEXT #19

10.28.0 → 10.28.1 Patch PR
Open 5 months ago 4 comments
elKevin24
chore(deps): bump the production-dependencies group across 1 directory with 3 updates

elKevin24/FIX-AI-NEXT #18

10.28.0 → 10.28.1 Patch PR
Open 5 months ago 5 comments
elKevin24
build(deps-dev): Bump pnpm from 10.28.0 to 10.28.1

AtCoder-NoviSteps/AtCoderNoviSteps #3071

10.28.0 → 10.28.1 Patch PR
Open 5 months ago 1 comment
AtCoder-NoviSteps
build(deps-dev): Bump pnpm from 10.26.1 to 10.26.2

cynarAI/Houston #122

10.26.1 → 10.26.2 Patch PR
Closed 6 months ago 2 comments
cynarAI
chore(deps): bump the production-dependencies group across 1 directory with 2 updates

heridotlife/heridotlife #68

10.26.1 → 10.26.2 Patch PR
Open 6 months ago 5 comments
heridotlife
Bump the npm group with 2 updates

poad/github-oauth-example #2051

10.26.1 → 10.26.2 Patch PR
Closed 6 months ago 1 comment
poad
chore(deps-dev): bump the development-dependencies group across 1 directory with 7 updates

sokolovgit/code-hive #6

10.26.0 → 10.26.2 Patch PR
Open 6 months ago 1 comment
sokolovgit
Bump pnpm from 10.26.0 to 10.26.1 in the npm group across 1 directory

poad/aws-cloudformation-stack-status-checker #739

10.26.0 → 10.26.1 Patch PR
Closed 6 months ago 1 comment
poad
Bump pnpm from 10.26.0 to 10.26.1 in the npm group across 1 directory

poad/get-aws-ssm-parameter #714

10.26.0 → 10.26.1 Patch PR
Closed 6 months ago 1 comment
poad
Bump pnpm from 10.18.1 to 10.18.3

skittlz444/walk-to-mordor #64

10.18.1 → 10.18.3 Patch PR
Open 8 months ago 2 comments
skittlz444
Bump the patch-updates group across 1 directory with 14 updates

trtyr/Mizuki #10

10.18.0 → 10.18.3 Patch PR
Closed 8 months ago 1 comment
trtyr
build(deps): bump the non-breaking-changes group across 1 directory with 6 updates

esdora-js/esdora #161

10.18.2 → 10.18.3 Patch PR
Closed 8 months ago 2 comments
esdora-js
Bump the patch-updates group across 1 directory with 5 updates

jianlongliu/jianlongliu.github.io #17

10.18.1 → 10.18.3 Patch PR
Closed 8 months ago 2 comments
jianlongliu
Package Details
Name: pnpm
Ecosystem: npm
PURL Type: npm
Package URL: pkg:npm/pnpm
JSON API: View JSON
Security Advisories

12

Active advisories
HIGH 5
MODERATE 7
View All npm Advisories
Package Information
Description:

Fast, disk space efficient package manager

Repository: https://github.com/pnpm/pnpm
Homepage: https://pnpm.io
Latest Release: 10.11.0
about 1 year ago
Dependent Repos: 2,954
Dependent Packages: 1,314
Downloads: 88,232,668
Ranking: Top 0.3962% by dependent repos Top 0.0377% by downloads Top 0.0551% by dependent pkgs
PR Status
Open 646 (47.4%)
Merged 206 (15.1%)
Closed 430 (31.5%)
PR Types
Major 326 (23.9%)
Minor 703 (51.5%)
Patch 253 (18.5%)