pnpm v10.28.2 has warnings detected in the latest brin safety scan. Trust score: 75/100. Review the flagged concerns before use. This is an automated assessment.

Does pnpm have any known vulnerabilities?

pnpm v10.28.2 has 5 known CVE vulnerabilities. Review the safety scan for severity details and remediation guidance.

What capabilities does pnpm have?

pnpm has the following detected capabilities: filesystem access, process spawning, environment variable access. Review these before using with AI coding agents.

Can I use pnpm safely with AI coding agents?

pnpm has been flagged with risk indicators. Review the detected threats and capabilities before using with AI coding agents. Assessments are automated and may contain errors.

pnpm

npm

Is pnpm safe to use?

The latest brin safety scan flagged pnpm v10.28.2 with risk indicators that warrant review. 5 known CVE vulnerabilities. Trust score: 75/100. Review the findings below before use. This is an automated assessment and may contain errors.

Install (safety-checked)

pnpm Has Warnings

Warnings detected due to potential concerns

warning

CVEs

Threats

Install Scripts

Risk Indicators

•Can spawn child processes

pnpm CVE Vulnerabilities (5)

CVE-2026-23888medium

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Fixed in: 10.28.1

CVE-2026-23889medium

pnpm has Windows-specific tarball Path Traversal

Fixed in: 10.28.1

CVE-2026-23890medium

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Fixed in: 10.28.1

brin Recommendations

→This package has warnings detected. Evaluate the specific concerns before proceeding.

Install with brin add pnpm to automatically apply these checks before installation.

This is an automated, point-in-time assessment and may contain errors. Findings are risk indicators, not confirmed threats. Security posture may change over time. Maintainers can dispute findings via the brin review process.

pnpm Capabilities & Permissions

What pnpm can access when installed. Review these capabilities before using with AI agents like Cursor, Claude Code, or Codex.

Filesystem Access

Reads and writes to the filesystem.

.env (rw)node_modules (rw)package.json (rw)/usr/ (rw)/usr/ (rw)

Process Spawning

This package can spawn child processes.

Environment Variables

Accesses the following environment variables.

FORCE_COLORGRACEFUL_FS_PLATFORMNODE_DEBUGOSTYPETEST_GRACEFUL_FS_GLOBAL_PATCH

AGENTS.md for pnpm

Good instructions lead to good results. brin adds pnpm documentation to your AGENTS.md so your agent knows how to use it properly—improving both safety and performance.