CVE-2025-69264

Name of the Vulnerable Software and Affected Versions pnpm versions 10.0.0 through 10.25

Description pnpm is a package manager affected by an issue where git-hosted dependencies can execute arbitrary code during the pnpm install process. This bypasses the security feature introduced in version 10, which disables dependency lifecycle scripts execution by default. Specifically, while pnpm version 10 blocks postinstall scripts, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, potentially leading to remote code execution without user consent.

Recommendations Update to pnpm version 10.26.0 or later.