pnpm: Build approval now requires exact locator matching for opaque dependencies

Build approval for opaque dependency sources (git, URL, tarball, file, directory) now requires byte-exact matching of the resolved locator, instead of normalizing away parenthesized peer suffixes. This fixes a collision where approval for one opaque source could authorize a different attacker-controlled source that normalized to the same value.

All pnpm users who use `allowBuilds` or `denyBuilds` with opaque (non-registry) dependency sources, such as git, URL, tarball, file, or directory dependencies.

Review your `allowBuilds` and `denyBuilds` policies for opaque dependencies and update any approved keys to match the exact locator shown in pnpm's ignored-build output.