Problem
pnpm/action-setup@v6.0.9 embeds pnpm@11.7.0 in
src/install-pnpm/bootstrap/pnpm-lock.json. The action runs npm ci on that
lockfile before resolving/self-updating to the consumer's requested pnpm
version.
Since public advisory
GHSA-qrv3-253h-g69c
marks pnpm >=11.0.0 <11.8.0 as high severity, every current v6.0.9 action run
now prints:
added 1 package, and audited 2 packages in 1s
1 high severity vulnerability
To address all issues, run:
npm audit fix --force
Run `npm audit` for details.
The issue is visible in this public consumer run:
https://github.com/Malakof/crystal-platform/actions/runs/29153557294
Consumer tracking: https://github.com/Malakof/crystal-platform/issues/327
Reproduction
Use pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271
on a current GitHub-hosted runner, or run:
tmpdir=$(mktemp -d)
cd "$tmpdir"
npm init -y
npm install pnpm@11.7.0 --package-lock-only --ignore-scripts
npm audit --json
The audit reports pnpm as the direct high-severity dependency, affected range
11.0.0 - 11.7.0, with a fix available at 11.8.0 or later.
Expected
Please update both committed bootstrap lockfiles (including the relevant
@pnpm/exe bootstrap) to a pnpm release outside the advisory range, rebuild
dist, and publish a new immutable Node 24 action release/commit.
Changing only a consumer's version: input or packageManager field does not
remove this output because the embedded bootstrap npm ci happens first.
I searched open and closed issues for the advisory id and 11.8.0 vulnerability
before filing and found no existing report. Current master is still v6.0.9
commit 0ebf47130e48....
Problem
pnpm/action-setup@v6.0.9embedspnpm@11.7.0insrc/install-pnpm/bootstrap/pnpm-lock.json. The action runsnpm cion thatlockfile before resolving/self-updating to the consumer's requested pnpm
version.
Since public advisory
GHSA-qrv3-253h-g69cmarks
pnpm >=11.0.0 <11.8.0as high severity, every current v6.0.9 action runnow prints:
The issue is visible in this public consumer run:
https://github.com/Malakof/crystal-platform/actions/runs/29153557294
Consumer tracking: https://github.com/Malakof/crystal-platform/issues/327
Reproduction
Use
pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271on a current GitHub-hosted runner, or run:
The audit reports
pnpmas the direct high-severity dependency, affected range11.0.0 - 11.7.0, with a fix available at 11.8.0 or later.Expected
Please update both committed bootstrap lockfiles (including the relevant
@pnpm/exebootstrap) to a pnpm release outside the advisory range, rebuilddist, and publish a new immutable Node 24 action release/commit.Changing only a consumer's
version:input orpackageManagerfield does notremove this output because the embedded bootstrap
npm cihappens first.I searched open and closed issues for the advisory id and
11.8.0 vulnerabilitybefore filing and found no existing report. Current
masteris still v6.0.9commit
0ebf47130e48....