## pnpm v10+ Security Bypass: Git Dependency Script Execution Vulnerability Confirmed in CVE-2025-69264
A critical security vulnerability in pnpm versions 10.x allowed malicious actors to bypass the default protections against lifecycle script execution for Git-based dependencies. Tracked as CVE-2025-69264 (GHSA-379q-355j-w6rj), the flaw undermined a core security design introduced in pnpm v10, where dependency lifecycle scripts were intentionally disabled by default. The bypass enabled arbitrary code execution during package installation—a serious supply chain risk for any project relying on Git dependencies.

The vulnerability stemmed from how pnpm v10+ handled script execution permissions for dependencies sourced directly from Git repositories. While pnpm's v10 release introduced stricter defaults to prevent unexpected script runs, this flaw allowed those safeguards to be circumvented under specific conditions involving Git-based dependencies. Organizations using automated dependency management tools like Renovate were notified to patch from v10.12.4 to the fixed release v10.28.2.

The exposure raises concerns across open-source supply chains, particularly for projects that pull dependencies from public or third-party Git sources. Developers who did not manually audit their dependency graphs may have been running untrusted scripts without realizing it. Security teams are urged to audit their dependency manifests, verify their pnpm versions, and consider rotating credentials or re-deploying environments where affected versions were in active use. The incident underscores the ongoing tension between convenience and security in modern JavaScript tooling ecosystems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: npm, javascript, security, CVE-2025-69264, supply-chain
- **Credibility**: unverified
- **Published**: 2026-05-09 17:31:54
- **ID**: 81214
- **URL**: https://whisperx.ai/en/intel/81214