{"uuid": "548766d3-5593-4224-b86f-7c2e24141aa6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-5xrq-8626-4rwp", "type": "seen", "source": "https://gist.github.com/rodrigo-arias/52b0854a2e57501b04c4c8d6728a34ea", "content": "# pnpm-audit\n\n`pnpm audit` on pnpm \u2264 10 started failing on 2026-07-15 when npm retired the\nlegacy audit endpoints ([pnpm#11265](https://github.com/pnpm/pnpm/issues/11265)):\n\n```\nERR_PNPM_AUDIT_BAD_RESPONSE ... responded with 410: This endpoint is being retired.\n```\n\npnpm 11 uses the new bulk advisory endpoint \u2014 but if your repo pins pnpm 10 via\n`engines.pnpm` (hard-enforced, no bypass flag) or `packageManager` (pnpm 11\nsilently delegates to the pinned version), even an installed pnpm 11 won't\naudit it, and you may not be ready to migrate the repo (pnpm 11 rewrites the\nlockfile format on install).\n\nThis wrapper audits a temp-dir copy of your lockfile with those pins stripped \u2014\nidentical results, zero changes to your repo.\n\n## Install\n\nSave `pnpm-audit.sh` from this gist somewhere on your PATH:\n\n```sh\n# e.g.\nmv pnpm-audit.sh ~/.local/bin/pnpm-audit &amp;&amp; chmod +x ~/.local/bin/pnpm-audit\n```\n\nRequires `node`. Finds pnpm \u2265 11 via `$PNPM11`, Homebrew kegs, or PATH;\nfalls back to `npx -y pnpm@11`.\n\n## Usage\n\n```sh\npnpm-audit                  # plain pnpm audit output, args passed through\npnpm-audit --summary        # grouped by severity: vulnerable package, installed/fix\n                            # versions, which of YOUR root deps pull it in, bump recap\npnpm-audit --audit-level=high\n```\n\nExit codes: `0` clean, `1` vulnerabilities found, `2` audit/parse error.\n\n### Example `--summary` output\n\n```\nCRITICAL  1 advisory in 1 package\n  vitest installed: 4.0.18\n    via: vitest (direct)\n    \u2022 When Vitest UI server is listening, arbitrary file can be read and executed (&gt;=4.0.0 &lt;4.1.0 \u2192 fix &gt;=4.1.0) GHSA-5xrq-8626-4rwp\n\nHIGH  8 advisories in 3 packages\n  next installed: 14.2.35\n    via: next (direct), next-seo\n    \u2022 Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n (&gt;=12.2.0 &lt;15.5.16 \u2192 fix &gt;=15.5.16) GHSA-36qx-fr4f-26g5\n    \u2022 Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades (&gt;=13.4.13 &lt;15.5.16 \u2192 fix &gt;=15.5.16) GHSA-c4j6-fc7j-m34r\n  minimatch installed: 3.1.2, 9.0.5\n    via: eslint, rimraf\n    \u2022 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern (&lt;3.1.3 \u2192 fix &gt;=3.1.3) GHSA-3ppc-4f35-3m26\n  ...\n\nRoot dependencies to bump\n  vitest     1 critical, 3 high, 2 moderate  via itself, picomatch, vite\n  next       5 high, 2 moderate              via itself, postcss\n  eslint     2 high, 2 moderate              via flatted, js-yaml, minimatch\n  rimraf     1 high                          via minimatch\n\n18 advisories \u2014 1 critical | 8 high | 6 moderate | 3 low\n```\n", "creation_timestamp": "2026-07-15T19:00:46.707612Z"}