CVE-2024-47829

Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.0.0

Description The issue is related to the path shortening function in pnpm, which uses the md5 function as a compression function. If a collision occurs, it can result in the same storage path for two different libraries. Although the real names are under the package name /node modules/, there are no version numbers for the libraries they refer to.

Recommendations For versions prior to 10.0.0, update to version 10.0.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the path shortening function until a patch is applied.