Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pnpm for openSUSE:Factory checked in at 2026-02-03 21:31:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pnpm (Old) and /work/SRC/openSUSE:Factory/.pnpm.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pnpm" Tue Feb 3 21:31:26 2026 rev:52 rq:1330629 version:10.28.2 Changes: -------- --- /work/SRC/openSUSE:Factory/pnpm/pnpm.changes 2026-01-26 11:03:17.496425587 +0100 +++ /work/SRC/openSUSE:Factory/.pnpm.new.1995/pnpm.changes 2026-02-03 21:32:21.590823830 +0100 @@ -1,0 +2,77 @@ +Tue Jan 27 06:31:09 UTC 2026 - Johannes Kastl <[email protected]> + +- update to 10.28.2: + * Patch Changes + - Security fix: prevent path traversal in directories.bin + field. + - When pnpm installs a file: or git: dependency, it now + validates that symlinks point within the package directory. + Symlinks to paths outside the package root are skipped to + prevent local data from being leaked into node_modules. + This fixes a security issue where a malicious package could + create symlinks to sensitive files (e.g., /etc/passwd, + ~/.ssh/id_rsa) and have their contents copied when the + package is installed. + Note: This only affects file: and git: dependencies. Registry + packages (npm) have symlinks stripped during publish and are + not affected. + - Fixed optional dependencies to request full metadata from the + registry to get the libc field, which is required for proper + platform compatibility checks #9950. +- update to 10.28.1: + * Patch Changes + - Fixed installation of config dependencies from private + registries. + Added support for object type in configDependencies when the + tarball URL returned from package metadata differs from the + computed URL #10431. + - Fix path traversal vulnerability in binary fetcher ZIP + extraction + - Validate ZIP entry paths before extraction to prevent + writing files outside target directory + - Validate BinaryResolution.prefix (basename) to prevent + directory escape via crafted prefix + - Both attack vectors now throw ERR_PNPM_PATH_TRAVERSAL error + - Support plain http:// and https:// URLs ending with .git as + git repository dependencies. + Previously, URLs like + https://gitea.example.org/user/repo.git#commit were not + recognized as git repositories because they lacked the git+ + prefix (e.g., git+https://). This caused issues when + installing dependencies from self-hosted git servers like + Gitea or Forgejo that don't provide tarball downloads. + Changes: + - The git resolver now runs before the tarball resolver, + ensuring git URLs are handled by the correct resolver + - The git resolver now recognizes plain http:// and https:// + URLs ending in .git as git repositories + - Removed the isRepository check from the tarball resolver + since it's no longer needed with the new resolver order + Fixes #10468 + - pnpm run -r and pnpm run --filter now fail with a non-zero + exit code when no packages have the specified script. + Previously, this only failed when all packages were selected. + Use --if-present to suppress this error #6844. + - Fixed a path traversal vulnerability in tarball extraction on + Windows. The path normalization was only checking for ./ but + not .\. Since backslashes are directory separators on + Windows, malicious packages could use paths like + foo\..\..\.npmrc to write files outside the package + directory. + - When running "pnpm exec" from a subdirectory of a project, + don't change the current working directory to the root of the + project #5759. + - Fixed a path traversal vulnerability in pnpm's bin linking. + Bin names starting with @ bypassed validation, and after + scope normalization, path traversal sequences like ../../ + remained intact. + - Revert Try to avoid making network calls with preferOffline + #10334. + - Fix --save-peer to write valid semver ranges to + peerDependencies for protocol-based installs (e.g. jsr:) by + deriving from resolved versions when available and falling + back to * if none is available #10417. + - Do not exclude the root workspace project, when it is + explicitly selected via a filter #10465. + +------------------------------------------------------------------- Old: ---- pnpm-10.28.0.tgz New: ---- pnpm-10.28.2.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pnpm.spec ++++++ --- /var/tmp/diff_new_pack.djY26b/_old 2026-02-03 21:32:22.362855752 +0100 +++ /var/tmp/diff_new_pack.djY26b/_new 2026-02-03 21:32:22.366855917 +0100 @@ -23,7 +23,7 @@ %global __nodejs_provides %{nil} %global __nodejs_requires %{nil} Name: pnpm -Version: 10.28.0 +Version: 10.28.2 Release: 0 Summary: Fast, disk space efficient package manager License: MIT ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.djY26b/_old 2026-02-03 21:32:22.414857902 +0100 +++ /var/tmp/diff_new_pack.djY26b/_new 2026-02-03 21:32:22.422858233 +0100 @@ -1,6 +1,6 @@ -mtime: 1768814308 -commit: ba1fb01d59500d324beb225a096d4677d1c1e5a96a036cfb17c8135869e1fb5f +mtime: 1769495846 +commit: fcb0fff18c1dc179522cd725c35d9dd0506223004997738e6173ef3f4f4b9cfa url: https://src.opensuse.org/nodejs/pnpm.git -revision: ba1fb01d59500d324beb225a096d4677d1c1e5a96a036cfb17c8135869e1fb5f +revision: fcb0fff18c1dc179522cd725c35d9dd0506223004997738e6173ef3f4f4b9cfa projectscmsync: https://src.opensuse.org/nodejs/_ObsPrj.git ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-02-02 21:12:22.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ pnpm-10.28.0.tgz -> pnpm-10.28.2.tgz ++++++ ++++ 11463 lines of diff (skipped)
