pnpm configDependency path traversal in lockfile allows arbitrary symlink

pnpm accepts configDependency names from the lockfile that contain path traversal sequences (e.g., '../../PWNED_CFGDEP'), and uses them unsanitized in filesystem paths, allowing symlink creation outside the intended node_modules/.pnpm-config directory.

All users of pnpm who install from repositories with a malicious pnpm-lock.yaml; the issue is triggered during pnpm install even with --ignore-scripts.

Update pnpm to a patched version as soon as one is available; in the meantime, avoid installing projects from untrusted sources or manually inspect pnpm-lock.yaml for configDependencies entries containing path traversal patterns.