Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

pnpm

Ecosystem:
npm
Package URL:
pkg:npm/pnpm
Total PRs:
1,267 Dependabot PRs
Latest PR:
about 24 hours ago
Unique Repositories:
341 repositories
Unique Repos (30 days):
61 repositories
Security Advisories
pnpm has symlink traversal in file:/git dependencies
GHSA-m733-5w8f-5ggw CVE-2026-24056 MODERATE published about 1 month ago • updated 10 days ago
### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining...
pnpm has Windows-specific tarball Path Traversal
GHSA-6x96-7vc8-cm3p CVE-2026-23889 MODERATE published about 1 month ago • updated 11 days ago
### Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on W...
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
GHSA-8cc4-rfj6-fhg4 CVE-2024-47829 MODERATE published 11 months ago • updated 6 days ago
The path shortening function is used in pnpm: ``` export function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string { let...
Untrusted Search Path in PNPM
GHSA-9m87-6fj3-c5xh CVE-2022-26183 HIGH published almost 4 years ago • updated 12 days ago
PNPM prior to v6.15.1 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execu...
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
GHSA-7vhp-vf5g-r2fw CVE-2025-69263 HIGH published 2 months ago • updated 10 days ago
### Summary HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server...
View all 12 advisories
Recent PRs (filtered by: Patch PRs )
RSS Feed Clear filter
Bump the dev-tools group across 1 directory with 10 updates

cvalentine99/Dang- #33

10.30.1 → 10.30.3 Patch PR
Closed 5 days ago 3 comments
cvalentine99
Bump the npm group with 16 updates

poad/github-pull-request-auto-merge-enable-action #9685

10.30.2 → 10.30.3 Patch PR
Closed 12 days ago 1 comment
poad
chore(deps): bump pnpm from 10.28.0 to 10.28.2

Trancendos/trancendos-ecosystem #492

10.28.0 → 10.28.2 Patch PR
Open 13 days ago 1 comment
Trancendos
chore(deps)(deps-dev): bump the development-dependencies group across 1 directory with 8 updates

HUA-Labs/HUA-Labs-public #140

10.30.1 → 10.30.2 Patch PR
Open 13 days ago 2 comments
HUA-Labs
Bump the npm group with 2 updates

poad/github-pull-request-auto-merge-enable-action #9667

10.30.1 → 10.30.2 Patch PR
Closed 15 days ago 1 comment
poad
chore(deps): bump the minor-and-patch group in /services/shared-app-api with 5 updates

zkorum/agora #592

10.30.0 → 10.30.1 Patch PR
Open 16 days ago 2 comments
zkorum
Bump pnpm from 10.30.0 to 10.30.1 in the sveltekit group

poad/sveltekit-minimal-example #516

10.30.0 → 10.30.1 Patch PR
Closed 19 days ago 2 comments
poad
chore(deps): bump the minor-and-patch group with 17 updates

sirjamesoffordii/CMC-Go #595

10.29.1 → 10.29.3 Patch PR
Closed 22 days ago 3 comments
sirjamesoffordii
chore(deps)(deps): bump the production-dependencies group with 6 updates

HUA-Labs/HUA-Labs-public #122

10.29.1 → 10.29.3 Patch PR
Open 23 days ago 3 comments
HUA-Labs
chore(deps-dev)(deps-dev): bump the development-dependencies group with 4 updates

skittlz444/walk-to-mordor #243

10.29.1 → 10.29.3 Patch PR
Open 23 days ago 3 comments
skittlz444
Bump the packages group with 19 updates

poad/github-rest-api-executor #354

10.29.2 → 10.29.3 Patch PR
Closed 27 days ago 1 comment
poad
Bump the npm group across 1 directory with 2 updates

poad/aws-cloudformation-stack-status-checker #767

10.29.2 → 10.29.3 Patch PR
Closed 27 days ago 1 comment
poad
Bump the packages group with 8 updates

poad/github-rest-api-executor #352

10.29.1 → 10.29.2 Patch PR
Closed 29 days ago 1 comment
poad
Bump the npm group with 5 updates

poad/vercel-functions-example #415

10.29.1 → 10.29.2 Patch PR
Closed 30 days ago 1 comment
poad
chore(deps): bump the test-versions group across 1 directory with 73 updates

DataDog/dd-trace-js #7462

10.28.0 → 10.28.2 Patch PR
Open about 1 month ago 3 comments
DataDog
Bump the npm_and_yarn group across 2 directories with 2 updates

Tattzy25/GOKAFONTA #7

10.28.1 → 10.28.2 Patch PR
Open about 1 month ago 1 comment
Tattzy25
chore(deps-dev): bump the minor-version-updates group across 1 directory with 3 updates

gjfLeo/eslint-config #11

10.28.0 → 10.28.2 Patch PR
Closed about 1 month ago 1 comment
gjfLeo
chore(deps): bump the test-versions group across 1 directory with 67 updates

DataDog/dd-trace-js #7417

10.28.0 → 10.28.2 Patch PR
Open about 1 month ago 2 comments
DataDog
:arrow_up:(deps): Bump the all-dependencies group with 50 updates

StudentTechUsher/stuV1.0 #134

10.28.0 → 10.28.2 Patch PR
Open about 1 month ago 2 comments
StudentTechUsher
chore(deps): bump the production-dependencies group across 1 directory with 7 updates

elKevin24/FIX-AI-NEXT #23

10.28.0 → 10.28.2 Patch PR
Open about 1 month ago 3 comments
elKevin24
Bump pnpm from 10.28.1 to 10.28.2

poad/vercel-functions-example #406

10.28.1 → 10.28.2 Patch PR
Closed about 1 month ago 1 comment
poad
chore(deps): bump pnpm from 10.28.1 to 10.28.2 in the npm_and_yarn group across 1 directory

MisskeyIO/misskey #1416

10.28.1 → 10.28.2 Patch PR
Closed about 1 month ago 5 comments
MisskeyIO
Bump pnpm from 10.28.1 to 10.28.2

poad/github-pull-requester #2607

10.28.1 → 10.28.2 Patch PR
Closed about 1 month ago 1 comment
poad
build(deps): bump pnpm from 10.28.1 to 10.28.2

sainnhe/dotfiles #11

10.28.1 → 10.28.2 Patch PR
Closed about 1 month ago 1 comment
sainnhe
chore(deps): bump the test-versions group across 1 directory with 55 updates

DataDog/dd-trace-js #7332

10.28.0 → 10.28.1 Patch PR
Open about 1 month ago 3 comments
DataDog
chore(deps): bump the npm-minor group in /frontend with 9 updates

0xReLogic/Zeltra #32

10.28.0 → 10.28.1 Patch PR
Open about 1 month ago 2 comments
0xReLogic
Bump the all-dependencies group in /frontend with 8 updates

pkemkes/the-gist-of-it-sec #64

10.28.0 → 10.28.1 Patch PR
Closed about 2 months ago 1 comment
pkemkes
chore(deps): bump the production-dependencies group across 1 directory with 5 updates

elKevin24/FIX-AI-NEXT #20

10.28.0 → 10.28.1 Patch PR
Open about 2 months ago 3 comments
elKevin24
Bump the npm group with 2 updates

poad/github-pull-requester #2601

10.28.0 → 10.28.1 Patch PR
Closed about 2 months ago 1 comment
poad
chore(deps): bump the production-dependencies group across 1 directory with 2 updates

elKevin24/FIX-AI-NEXT #19

10.28.0 → 10.28.1 Patch PR
Open about 2 months ago 4 comments
elKevin24
chore(deps): bump the production-dependencies group across 1 directory with 3 updates

elKevin24/FIX-AI-NEXT #18

10.28.0 → 10.28.1 Patch PR
Open about 2 months ago 5 comments
elKevin24
build(deps-dev): Bump pnpm from 10.28.0 to 10.28.1

AtCoder-NoviSteps/AtCoderNoviSteps #3071

10.28.0 → 10.28.1 Patch PR
Open about 2 months ago 1 comment
AtCoder-NoviSteps
build(deps-dev): Bump pnpm from 10.26.1 to 10.26.2

cynarAI/Houston #122

10.26.1 → 10.26.2 Patch PR
Closed 2 months ago 2 comments
cynarAI
chore(deps): bump the production-dependencies group across 1 directory with 2 updates

heridotlife/heridotlife #68

10.26.1 → 10.26.2 Patch PR
Open 2 months ago 5 comments
heridotlife
Bump the npm group with 2 updates

poad/github-oauth-example #2051

10.26.1 → 10.26.2 Patch PR
Closed 3 months ago 1 comment
poad
chore(deps-dev): bump the development-dependencies group across 1 directory with 7 updates

sokolovgit/code-hive #6

10.26.0 → 10.26.2 Patch PR
Open 3 months ago 1 comment
sokolovgit
Bump pnpm from 10.26.0 to 10.26.1 in the npm group across 1 directory

poad/aws-cloudformation-stack-status-checker #739

10.26.0 → 10.26.1 Patch PR
Closed 3 months ago 1 comment
poad
Bump pnpm from 10.26.0 to 10.26.1 in the npm group across 1 directory

poad/get-aws-ssm-parameter #714

10.26.0 → 10.26.1 Patch PR
Closed 3 months ago 1 comment
poad
Bump pnpm from 10.18.1 to 10.18.3

skittlz444/walk-to-mordor #64

10.18.1 → 10.18.3 Patch PR
Open 5 months ago 2 comments
skittlz444
Bump the patch-updates group across 1 directory with 14 updates

trtyr/Mizuki #10

10.18.0 → 10.18.3 Patch PR
Closed 5 months ago 1 comment
trtyr
Bump the patch-updates group across 1 directory with 5 updates

jianlongliu/jianlongliu.github.io #17

10.18.1 → 10.18.3 Patch PR
Closed 5 months ago 2 comments
jianlongliu
Bump the patch-updates group across 1 directory with 13 updates

trtyr/Mizuki #9

10.18.0 → 10.18.3 Patch PR
Closed 5 months ago 1 comment
trtyr
Bump the patch-updates group across 1 directory with 6 updates

Apollonyon/riverly #7

10.18.1 → 10.18.3 Patch PR
Closed 5 months ago 1 comment
Apollonyon
Bump the npm group with 33 updates

poad/aws-cognito-solidjs #609

10.18.2 → 10.18.3 Patch PR
Merged 5 months ago
poad
Bump the npm group across 1 directory with 2 updates

poad/appstore-connect-jwt-generator-core #3362

10.18.2 → 10.18.3 Patch PR
Merged 5 months ago 1 comment
poad
Bump the npm group across 3 directories with 2 updates

poad/github-cognito-oidc-proxy #3654

10.18.2 → 10.18.3 Patch PR
Merged 5 months ago
poad
Bump the npm group in /tests/infra with 4 updates

poad/csv2dynamodb #2622

10.18.2 → 10.18.3 Patch PR
Merged 5 months ago
poad
Bump pnpm from 10.18.2 to 10.18.3 in the npm group across 1 directory

poad/my-ts-boilerplate #8

10.18.2 → 10.18.3 Patch PR
Merged 5 months ago
poad
Bump the npm group with 3 updates

poad/typescript-action-template #313

10.18.2 → 10.18.3 Patch PR
Merged 5 months ago 1 comment
poad
Bump the npm group across 2 directories with 2 updates

poad/aws-cloudformation-stack-status-checker #695

10.18.2 → 10.18.3 Patch PR
Merged 5 months ago 1 comment
poad
Package Details
Name: pnpm
Ecosystem: npm
PURL Type: npm
Package URL: pkg:npm/pnpm
JSON API: View JSON
Security Advisories

12

Active advisories
HIGH 5
MODERATE 7
View All npm Advisories
Package Information
Description:

Fast, disk space efficient package manager

Repository: https://github.com/pnpm/pnpm
Homepage: https://pnpm.io
Latest Release: 10.11.0
10 months ago
Dependent Repos: 2,954
Dependent Packages: 1,314
Downloads: 88,232,668
Ranking: Top 0.3962% by dependent repos Top 0.0377% by downloads Top 0.0551% by dependent pkgs
PR Status
Open 599 (47.3%)
Merged 206 (16.3%)
Closed 380 (30.0%)
PR Types
Major 295 (23.3%)
Patch 244 (19.3%)
Minor 646 (51.0%)