pnpm configDependencies Remote Code Execution (CVE-2025-27815)

configDependencies feature allowed repositories to declare pacquet or @pnpm/pacquet as config dependencies, which pnpm resolved and executed via spawn() without explicit trust. Patch adds configDependencyInstallEngineAllowlist, a user-controlled allowlist (global, CLI, or environment) required to delegate install engine execution to pacquet; workspace-provided values are discarded.

All pnpm users before 10.34.2 and 11.5.3 who run dependency-management commands (e.g., pnpm install) in repositories with configDependencies containing pacquet or @pnpm/pacquet. Malicious repositories can execute arbitrary native binaries with the victim's privileges.

Update pnpm to 10.34.2 or 11.5.3 immediately. If unable to update, avoid running pnpm commands in untrusted repositories using configDependencies.