4 changed files with 81 additions and 4 deletions
--- a/pnpm-10.28.0.tgz
+++ b/pnpm-10.28.0.tgz
--- a/pnpm-10.28.2.tgz
+++ b/pnpm-10.28.2.tgz
--- a/pnpm.changes
+++ b/pnpm.changes
@@ -1,3 +1,80 @@
+-------------------------------------------------------------------
+Tue Jan 27 06:31:09 UTC 2026 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.28.2:
+  * Patch Changes
+    - Security fix: prevent path traversal in directories.bin
+      field.
+    - When pnpm installs a file: or git: dependency, it now
+      validates that symlinks point within the package directory.
+      Symlinks to paths outside the package root are skipped to
+      prevent local data from being leaked into node_modules.
+      This fixes a security issue where a malicious package could
+      create symlinks to sensitive files (e.g., /etc/passwd,
+      ~/.ssh/id_rsa) and have their contents copied when the
+      package is installed.
+      Note: This only affects file: and git: dependencies. Registry
+      packages (npm) have symlinks stripped during publish and are
+      not affected.
+    - Fixed optional dependencies to request full metadata from the
+      registry to get the libc field, which is required for proper
+      platform compatibility checks #9950.
+- update to 10.28.1:
+  * Patch Changes
+    - Fixed installation of config dependencies from private
+      registries.
+      Added support for object type in configDependencies when the
+      tarball URL returned from package metadata differs from the
+      computed URL #10431.
+    - Fix path traversal vulnerability in binary fetcher ZIP
+      extraction
+      - Validate ZIP entry paths before extraction to prevent
+        writing files outside target directory
+      - Validate BinaryResolution.prefix (basename) to prevent
+        directory escape via crafted prefix
+      - Both attack vectors now throw ERR_PNPM_PATH_TRAVERSAL error
+    - Support plain http:// and https:// URLs ending with .git as
+      git repository dependencies.
+      Previously, URLs like
+      https://gitea.example.org/user/repo.git#commit were not
+      recognized as git repositories because they lacked the git+
+      prefix (e.g., git+https://). This caused issues when
+      installing dependencies from self-hosted git servers like
+      Gitea or Forgejo that don't provide tarball downloads.
+      Changes:
+      - The git resolver now runs before the tarball resolver,
+        ensuring git URLs are handled by the correct resolver
+      - The git resolver now recognizes plain http:// and https://
+        URLs ending in .git as git repositories
+      - Removed the isRepository check from the tarball resolver
+        since it's no longer needed with the new resolver order
+      Fixes #10468
+    - pnpm run -r and pnpm run --filter now fail with a non-zero
+      exit code when no packages have the specified script.
+      Previously, this only failed when all packages were selected.
+      Use --if-present to suppress this error #6844.
+    - Fixed a path traversal vulnerability in tarball extraction on
+      Windows. The path normalization was only checking for ./ but
+      not .\. Since backslashes are directory separators on
+      Windows, malicious packages could use paths like
+      foo\..\..\.npmrc to write files outside the package
+      directory.
+    - When running "pnpm exec" from a subdirectory of a project,
+      don't change the current working directory to the root of the
+      project #5759.
+    - Fixed a path traversal vulnerability in pnpm's bin linking.
+      Bin names starting with @ bypassed validation, and after
+      scope normalization, path traversal sequences like ../../
+      remained intact.
+    - Revert Try to avoid making network calls with preferOffline
+      #10334.
+    - Fix --save-peer to write valid semver ranges to
+      peerDependencies for protocol-based installs (e.g. jsr:) by
+      deriving from resolved versions when available and falling
+      back to * if none is available #10417.
+    - Do not exclude the root workspace project, when it is
+      explicitly selected via a filter #10465.
+
 -------------------------------------------------------------------
 Mon Jan 19 09:13:44 UTC 2026 - Johannes Kastl <opensuse_buildservice@ojkastl.de>

--- a/pnpm.spec
+++ b/pnpm.spec
@@ -23,7 +23,7 @@
 %global __nodejs_provides %{nil}
 %global __nodejs_requires %{nil}
 Name:           pnpm
-Version:        10.28.0
+Version:        10.28.2
 Release:        0
 Summary:        Fast, disk space efficient package manager
 License:        MIT