pnpm Git Dependency Handling Allows Arbitrary Code Execution via Malicious Lockfile

A security vulnerability in pnpm's git dependency handling: the lockfile-controlled `resolution.commit` value is passed to `git fetch` and `git checkout` without a `--` separator or commit-format validation, allowing a malicious lockfile to inject Git options such as `--upload-pack=<command>` leading to code execution under specific transport conditions (SSH or local git).

Users of pnpm who install git dependencies via SSH or local git transports; HTTPS transport is immune.

Review your pnpm-lock.yaml for any git dependencies using SSH or local transports and ensure they are from trusted sources. Apply the suggested remediation by adding a `--` separator and validating `resolution.commit` matches `/^[0-9a-f]{40}$/i`.