Open perrylets opened 10 months ago
I don't know how we can prevent this or why it is happening. Any ideas are welcomed.
I'm unable to reproduce it in my side, just to check something, do you have the Developer mode enabled in Windows?
I get this on Windows 11, Node 20.9.0 (LTS). It's AVG that flags the pnpm.exe as containing the FileRepMalware.
I just found out that Google Chrome also flags it as possible malware, I'm checking it.
Edit: as expected it didn't find anything.
Looks like the term FileRepMalware
is a very generic malware description, so I don't really know why 3 antivirus are flagging pnpm as that.
Fun detail; Using the iwr https://get.pnpm.io/install.ps1 -useb | iex
command made AVG go crazy. Using volta install pnpm
worked, without any pesky AVG interference. So... A fix for those of us using Volta.
Maybe we need to sign the ps1 script or pnpm.exe.
It's possible to do that with pkg
? I don't find anything about that in the pkg repo
Related issue I think https://github.com/vercel/pkg/issues/1992
I'm unable to reproduce it in my side, just to check something, do you have the Developer mode enabled in Windows?
Yes
@nachoaldamav
Avast is also detecting pnpm.exe
as a FileRepMalware
when I use iwr
to install pnpm.
does anyone know a practical fix to avoid this issue ?
vercel/pkg#1992 has been closed, likely because pkg is deprecated now. So what can be done now?
@perrylets Vercel deprecated pkg
yesterday and removed all the issues from the repo.
They said there are more alternatives to pkg and the new node option to create executables. But that feature was added in Node 21, so it won't work for pnpm as we should support previous versions.
Maybe we can check this feature, Single executable applications (nodejs.org), that looks like it was added in v18.16.0
. It has support for adding signatures to the binaries (which I think will fix the issue with the antivirus). FYI @zkochan
It is still being flagged as malware by Avast and AVG. See the VirusTotal page of the pnpm 8.14.1 exe submission here: https://www.virustotal.com/gui/file/359186fff814c3d8eed00ce341e4deb78a316a208cef8c0052b8343d7ecd862f/community
Please upvote in VirusTotal the pnpm's community reputation by clicking the green checkmark. That way it will be flagged as false positive and somehow malware researchers at each of the companies will be alerted (hope so).
Hello, how to resolve issue with latest version of pnpm on Windows 11 Enterprise? Currently I can't install it, because of "virus":
PS C:\WINDOWS\system32> Invoke-WebRequest https://get.pnpm.io/install.ps1 -UseBasicParsing | Invoke-Expression
Downloading pnpm from GitHub...
Running setup...
Start-Process : This command cannot be run due to the error: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
At line:139 char:1
+ Start-Process -FilePath $tempFile -ArgumentList "setup" -NoNewWindow ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
You can install the js version of pnpm that doesn't come bundled with Node.js. You can use npm or corepack to do so. So, with npm you should run:
npm i -gf pnpm
Maybe we need to sign the ps1 script or pnpm.exe.
@zkochan any update on signing the files?
The suggested solution is to use node's single executable applications, which are still experimental. pkg was deprecated but has a well maintained fork. I don't think we should switch to node's single executable applications at this time. We can sign the binaries but I don't have experience how to do it. As far as I understand the binary for macOS is signed by pkg.
Stumbled upon issue this while migrating away from corepack, given Node's stated goal of removing corepack. Is there a way to install the latest version of pnpm on Windows to use it as the Node version manager?
If there's no way to install the pnpm executable on windows, then you should still be able to manager node.js versions of projects but not the global node.js. So, pnpm will be able to manage the node.js used during pnpm run
or pnpm node
but not the node.js in your CLI.
Verify latest release
pnpm version
No response
Which area(s) of pnpm are affected? (leave empty if unsure)
No response
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
Try to install pnpm on windows with winget or the provided powershell snippet on Windows.
Describe the Bug
Windows defender will flag what I assume is the temp file for the installation as malware and stop the execution of the script.
Expected Behavior
pnpm should be installled correctly without the process stopping.
Which Node.js version are you using?
21.1.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response