chore(deps): update pnpm to v9.15.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pnpm (source)	9.14.2 -> 9.15.0

GitHub Vulnerability Alerts

CVE-2024-53866

Summary

pnpm seems to mishandle overrides and global cache:

1. Overrides from one workspace leak into npm metadata saved in global cache
2. npm metadata from global cache affects other workspaces
3. installs by default don't revalidate the data (including on first lockfile generation)

This can make workspace A (even running with ignore-scripts=true) posion global cache and execute scripts in workspace B

Users generally expect ignore-scripts to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).

Here, that expectation is broken

Details

See PoC.

In it, overrides from a single run of A get leaked into e.g. ~/Library/Caches/pnpm/metadata/registry.npmjs.org/rimraf.json and persistently affect all other projects using the cache

PoC

Postinstall code used in PoC is benign and can be inspected in https://www.npmjs.com/package/ponyhooves?activeTab=code, it's just a console.log

1. Remove store and cache
   On mac: rm -rf ~/Library/Caches/pnpm ~/Library/pnpm/store
   This step is not required in general, but we'll be using a popular package for PoC that's likely cached
2. Create A/package.json:

   {
     "name": "A",
     "pnpm": { "overrides": { "rimraf>glob": "npm:ponyhooves@1" } },
     "dependencies": { "rimraf": "6.0.1" }
   }

   Install it with pnpm i --ignore-scripts (the flag is not required, but the point of the demo is to show that it doesn't help)
3. Create B/package.json:

   {
     "name": "B",
     "dependencies": { "rimraf": "6.0.1" }
   }

   Install it with pnpm i

Result:

Packages: +3
+++
Progress: resolved 3, reused 3, downloaded 0, added 3, done
node_modules/.pnpm/[email protected]/node_modules/ponyhooves: Running postinstall script, done in 51ms

dependencies:
+ rimraf 6.0.1

Done in 1.4s

Also, that code got leaked into another project and it's lockfile now!

Impact

Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs

As a work-around, use separate cache and store dirs in each workspace

---

Release Notes

pnpm/pnpm (pnpm)

v9.15.0

Compare Source

v9.14.4

Compare Source

v9.14.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for vue-devtools-docs canceled.

Name	Link
🔨 Latest commit	e10a364
🔍 Latest deploy log	https://app.netlify.com/sites/vue-devtools-docs/deploys/6764153743e2e8000867a2d8

[pkg-pr-new]

Open in Stackblitz

@vue/devtools-applet

npm i https://pkg.pr.new/@vue/devtools-applet@734

@vue/devtools-core

npm i https://pkg.pr.new/@vue/devtools-core@734

@vue/devtools

npm i https://pkg.pr.new/@vue/devtools@734

@vue/devtools-api

npm i https://pkg.pr.new/@vue/devtools-api@734

@vue/devtools-kit

npm i https://pkg.pr.new/@vue/devtools-kit@734

vite-plugin-vue-devtools

npm i https://pkg.pr.new/vite-plugin-vue-devtools@734

commit: e10a364