CVE-2024-53866

Name of the Vulnerable Software and Affected Versions: pnpm versions prior to 9.15.0

Description: The package manager pnpm seems to mishandle overrides and global cache. This can lead to overrides from one workspace leaking into npm metadata saved in the global cache, affecting other workspaces. Installs by default do not revalidate the data, including on first lockfile generation. This breaks the expectation that ignore-scripts is sufficient to prevent immediate code execution on install. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs.

Recommendations: For versions prior to 9.15.0, update to version 9.15.0 to fix the issue. As a temporary workaround, use separate cache and store directories in each workspace.