## pnpm v10+ Security Flaw: Git Dependency Script Execution Bypass (CVE-2025-69264)
A critical security vulnerability in the pnpm package manager allows malicious Git dependencies to bypass a key security control and execute arbitrary scripts. Tracked as CVE-2025-69264 (GHSA-379q-355j-w6rj), the flaw specifically affects pnpm versions 10 and above. The vulnerability undermines the intended safety of the "dependency lifecycle scripts execution disabled by default" setting, a core security feature designed to prevent supply chain attacks.

The issue is a bypass in how pnpm handles Git dependencies. When a project uses a Git repository as a dependency, the package manager can be tricked into executing lifecycle scripts—such as `postinstall`—even when script execution is supposed to be disabled globally. This creates a direct vector for attackers to run malicious code on a developer's machine or within a CI/CD pipeline during installation. The vulnerability was identified in the open source community, prompting an urgent update to version 10.28.2 to patch the flaw.

This bypass poses a significant risk to any development team or organization using pnpm v10+ with Git dependencies. It exposes projects to potential supply chain compromise, where an attacker could inject code into a build process or gain a foothold in an internal network. The fix requires immediate action: developers and DevOps teams must update their pnpm installations to version 10.28.2 or later. Failure to patch leaves systems vulnerable to a class of attack that security features were explicitly designed to prevent.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, supply-chain, npm, CVE-2025-69264
- **Credibility**: unverified
- **Published**: 2026-04-19 19:22:35
- **ID**: 71352
- **URL**: https://whisperx.ai/en/intel/71352