## pnpm v10 Update Addresses Critical Global Cache Poisoning Vulnerability (CVE-2024-53866)
A major update to the pnpm package manager addresses a critical security flaw that could allow attackers to poison the global cache and bypass script execution safeguards. The vulnerability, tracked as CVE-2024-53866 (GHSA-vm32-9rqf-rh3r), stems from a mishandling of workspace overrides and the global cache, creating a vector for supply chain attacks. This flaw enables a scenario where overrides from one workspace can leak into npm metadata saved in the shared global cache, potentially allowing the evasion of the `ignore-scripts` configuration—a key security feature designed to prevent arbitrary code execution during package installation.

The core of the issue lies in pnpm's handling of metadata. When a project uses overrides to pin or alter dependency versions, this information can incorrectly persist in the global cache. Subsequent installations in other projects or workspaces that fetch from this tainted cache may inherit these overrides without explicit configuration. This leakage mechanism, combined with a method to bypass `ignore-scripts`, significantly raises the risk of malicious code execution in environments that rely on pnpm's security settings for protection.

The update from pnpm v9.14.4 to v10.28.2, flagged as a major version change, is the direct response to this vulnerability. The presence of the OpenSSF Scorecard badge in the update notice underscores the security-focused nature of this release. For development teams and organizations using pnpm, especially in multi-workspace monorepos, this patch is not a routine dependency chore but a mandatory security remediation. The flaw highlights the persistent risks in software supply chains where a trusted tool's cache behavior can become an attack surface, demanding immediate scrutiny and upgrade to mitigate potential compromise.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: supply-chain-security, vulnerability, package-manager, CVE-2024-53866, npm
- **Credibility**: unverified
- **Published**: 2026-04-11 09:22:30
- **ID**: 59914
- **URL**: https://whisperx.ai/en/intel/59914