Download of Code Without Integrity Check

Summary

pnpm is a package manager. Versions prior to 10.26.0 and 11.x prior to 11.0.0-alpha.2 store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This also affects @pnpm/package-requester versions prior to 1010.0.0, @pnpm/worker versions prior to 1000.5.0, @pnpm/fetcher-base versions prior to 1001.1.0, and @pnpm/store-controller-types versions prior to 1004.4.0.