Keep build approval for opaque dependency sources byte-exact for GHSA-5wx6-mg75-v57r / CAND-PNPM-123.
Merged upstream commit bf1b731ee6 fixed the original name-only approval bypass by making build policy consume the resolved dependency identity. One collision remained: the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator normalized to the same value.
allowBuilds approving foo@https://host/pkg.tgz, the upstream implementation also accepted foo@https://host/pkg.tgz(evil) because both passed through peer-suffix removal.foo@https://host/pkg@1.0.0(good) and foo@https://host/pkg@1.0.0(evil) collided because the parser selected the final @ and misclassified the opaque URL as a registry package.https://host/pkg@1.0.0 could collapse https://host/pkg@1.0.0(evil).building/policy/src/index.ts and building/policy/test/index.ts normalize only parsed registry identities and retain exact opaque keys.pacquet/crates/package-manager/src/build_modules.rs passes snapshot identities to policy, matches TypeScript package-separator parsing, and preserves opaque locators.pacquet/crates/package-manager/src/build_modules/tests.rs covers exact approval and denial, all three collision forms, ignored-build output, and registry peer compatibility..changeset/quiet-opaque-build-identities.md records patch releases for @pnpm/building.policy and pnpm.$ jest building/policy/test/index.ts --runInBand
16 passed
$ cargo test -p pacquet-package-manager build_modules::tests -- --nocapture
49 passed
$ cargo fmt --all -- --check
PASS
$ git diff --check 84bb4b1a046f3a659de1c9aab1d45dcf814124ce...HEAD
PASS
@ collision before the additive fix and passed afterward.84bb4b1a046f3a659de1c9aab1d45dcf814124ce.@pnpm/pacquet@0.11.2; no candidate-focused test failed.10.34.2: https://github.com/pnpm/pnpm/commit/14bceb1e0b2a71f4f670774db261feb03f38ec23
11.5.3: https://github.com/pnpm/pnpm/commit/bf1b731ee6c0ea98709e671ff0f46bf654480ab8
Registry package approvals keep their existing form. Opaque dependencies that were approved through a normalized parenthesized variant must now use the exact key shown in pnpm's ignored-build output. This is the intended trust-boundary change; no package-resolution or artifact format changes.
GitHub intentionally does not run status checks on temporary private-fork pull requests. The complete policy suites, formatting, and diff checks above are the applicable validation: https://docs.github.com/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
Written by an agent (Codex, GPT-5).
{
"nvd_published_at": "2026-06-25T18:16:40Z",
"severity": "HIGH",
"cwe_ids": [
"CWE-346",
"CWE-693",
"CWE-829"
],
"github_reviewed_at": "2026-06-26T23:18:13Z",
"github_reviewed": true
}