chore(deps): update dependency pnpm to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	^7.18.2 -> ^9.0.0

GitHub Vulnerability Alerts

CVE-2023-37478

Summary

It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives.

Details

The TAR format is an append-only archive format, and as such, the specification for how to update a file is to add a new record to the end with the updated version of the file. This means that it is completely valid for an archive to contain multiple copies of, say, package.json, and the expected behavior when extracting is that all versions other than the last get ignored.

This is further complicated by that during tarball extraction, all package managers are configured to drop the first path component, so collisions can be created simply by using multiple root folders in the archive, even without performing updates.

When pnpm extracts a tar archive via tar-stream, it appears to extract only the first file of a given name and discards all subsequent files with the same name.

PoC

Create a root folder with the following layout:

• a/package.json
• package/package.json
• z/package.json

File contents:

a/package.json

{
    "name": "test-package",
    "version": "0.1.0",
    "description": "This is a bad version of a test package",
    "dependencies": {
        "react": "^15"
    }
}

package/package.json

{
    "name": "test-package",
    "version": "0.1.0",
    "description": "This is a bad version of a test package",
    "dependencies": {
        "react": "^16"
    }
}

z/package.json

{
    "name": "test-package",
    "version": "0.1.0",
    "description": "This is the good version of a test package",
    "dependencies": {
        "react": "^17"
    }
}

Then use the tar binary to produce a tarball (working directory is the root folder):
tar -c -z --format ustar -f package.tgz a package z
The order of the folders at the end matters; whichever one is last will end up being the package.json that wins when extracted by npm; the one that is first will be the one that wins when extracted by pnpm.

Install the tarball via the file: protocol.

Observe that with npm, the lockfile has react@17, while with pnpm it has react@15.

Impact

This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm.

CVE-2024-53866

Summary

pnpm seems to mishandle overrides and global cache:

1. Overrides from one workspace leak into npm metadata saved in global cache
2. npm metadata from global cache affects other workspaces
3. installs by default don't revalidate the data (including on first lockfile generation)

This can make workspace A (even running with ignore-scripts=true) posion global cache and execute scripts in workspace B

Users generally expect ignore-scripts to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).

Here, that expectation is broken

Details

See PoC.

In it, overrides from a single run of A get leaked into e.g. ~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json and persistently affect all other projects using the cache

PoC

Postinstall code used in PoC is benign and can be inspected in https://www.npmjs.com/package/ponyhooves?activeTab=code, it's just a console.log

1. Remove store and cache
   On mac: rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store
   This step is not required in general, but we'll be using a popular package for PoC that's likely cached
2. Create A/package.json:

   {
     "name": "A",
     "pnpm": { "overrides": { "rimraf>glob": "npm:ponyhooves@1" } },
     "dependencies": { "rimraf": "6.0.1" }
   }

   Install it with pnpm i --ignore-scripts (the flag is not required, but the point of the demo is to show that it doesn't help)
3. Create B/package.json:

   {
     "name": "B",
     "dependencies": { "rimraf": "6.0.1" }
   }

   Install it with pnpm i

Result:

Packages: +3
+++
Progress: resolved 3, reused 3, downloaded 0, added 3, done
node_modules/.pnpm/ponyhooves@1.0.1/node_modules/ponyhooves: Running postinstall script, done in 51ms

dependencies:
+ rimraf 6.0.1

Done in 1.4s

Also, that code got leaked into another project and it's lockfile now!

Impact

Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs

As a work-around, use separate cache and store dirs in each workspace

---

Release Notes

pnpm/pnpm (pnpm)

v9.15.0: pnpm 9.15

Compare Source

Minor Changes

• Metadata directory version bumped to force fresh cache after we shipped a fix to the metadata write function. This change is backward compatible as install doesn't require a metadata cache.

Patch Changes

• pnpm update --global should not crash if there are no any global packages installed #​7898.
• Fix an exception when running pnpm update --interactive if catalogs are used.

Platinum Sponsors

Gold Sponsors

v9.14.4: pnpm 9.14.4

Compare Source

Patch Changes

• Don't ever save mutated metadata to the metadata cache.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.14.3: pnpm 9.14.3

Compare Source

Patch Changes

• Some commands should ignore the packageManager field check of package.json #​7959.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.14.2

Compare Source

Patch Changes

• pnpm publish --json should work #​8788.

Platinum Sponsors

Gold Sponsors

v9.14.1

Compare Source

Minor Changes

• Added support for pnpm pack --json to print packed tarball and contents in JSON format #​8765.

Patch Changes

• pnpm exec should print a meaningful error message when no command is provided #​8752.
• pnpm setup should remove the CLI from the target location before moving the new binary #​8173.
• Fix ERR_PNPM_TARBALL_EXTRACT error while installing a dependency from GitHub having a slash in branch name #​7697.
• Don't crash if the use-node-version setting is used and the system has no Node.js installed #​8769.
• Convert settings in local .npmrc files to their correct types. For instance, child-concurrency should be a number, not a string #​5075.
• pnpm should fail if a project requires a different package manager even if manage-package-manager-versions is set to true.
• pnpm init should respect the --dir option #​8768.

Platinum Sponsors

Gold Sponsors

v9.14.0

Compare Source

v9.13.2: pnpm 9.13.2

Compare Source

Patch Changes

• Detection of circular peer dependencies should not crash with aliased dependencies #​8759. Fixes a regression introduced in the previous version.
• Fix race condition of symlink creations caused by multiple parallel dlx processes.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.13.1: pnpm 9.13.1

Compare Source

Patch Changes

• Fixed some edge cases where resolving circular peer dependencies caused a dead lock #​8720.

Platinum Sponsors

Gold Sponsors

Silver Sponsors

v9.13.0: pnpm 9.13

Compare Source

Minor Changes

• The self-update now accepts a version specifier to install a specific version of pnpm. E.g.:

  pnpm self-update 9.5.0
  

  or

  pnpm self-update next-10
  

Patch Changes

• Fix Cannot read properties of undefined (reading 'name') that is printed while trying to render the missing peer dependencies warning message #​8538.

Platinum Sponsors

Gold Sponsors

Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.