Skip to content

security: v6.0.9 bootstrap pnpm 11.7.0 triggers GHSA-qrv3-253h-g69c audit finding #275

Description

@Malakof

Problem

pnpm/action-setup@v6.0.9 embeds pnpm@11.7.0 in
src/install-pnpm/bootstrap/pnpm-lock.json. The action runs npm ci on that
lockfile before resolving/self-updating to the consumer's requested pnpm
version.

Since public advisory
GHSA-qrv3-253h-g69c
marks pnpm >=11.0.0 <11.8.0 as high severity, every current v6.0.9 action run
now prints:

added 1 package, and audited 2 packages in 1s
1 high severity vulnerability
To address all issues, run:
  npm audit fix --force
Run `npm audit` for details.

The issue is visible in this public consumer run:
https://github.com/Malakof/crystal-platform/actions/runs/29153557294

Consumer tracking: https://github.com/Malakof/crystal-platform/issues/327

Reproduction

Use pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271
on a current GitHub-hosted runner, or run:

tmpdir=$(mktemp -d)
cd "$tmpdir"
npm init -y
npm install pnpm@11.7.0 --package-lock-only --ignore-scripts
npm audit --json

The audit reports pnpm as the direct high-severity dependency, affected range
11.0.0 - 11.7.0, with a fix available at 11.8.0 or later.

Expected

Please update both committed bootstrap lockfiles (including the relevant
@pnpm/exe bootstrap) to a pnpm release outside the advisory range, rebuild
dist, and publish a new immutable Node 24 action release/commit.

Changing only a consumer's version: input or packageManager field does not
remove this output because the embedded bootstrap npm ci happens first.

I searched open and closed issues for the advisory id and 11.8.0 vulnerability
before filing and found no existing report. Current master is still v6.0.9
commit 0ebf47130e48....

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions