pnpm 15-CVE batch: lockfile-driven RCE, integrity bypass, git argument injection
pnpm disclosed a coordinated batch of advisories including CVE-2026-55698 (env lockfile short-circuits package-manager resolution to run attacker-chosen pnpm bytes, CVSS 8.8), CVE-2026-50016 (transitive alias path traversal replaces project paths with symlinks, 8.8), CVE-2026-50014 (git fetch argument injection via lockfile resolution.commit), CVE-2026-50021/50573 (integrity check bypass via missing/changed integrity), and CVE-2026-50015 (arbitrary file write/delete via malicious .patch).
Pin CI runners to the patched pnpm release and treat any `pnpm install` against an untrusted PR branch as code execution until you upgrade. The integrity-bypass cases (50021/50573) mean lockfile diffs alone are no longer a sufficient guard — require frozen-lockfile mode and review changes to `packageManager`, `configDependencies`, and `patchedDependencies`.