pnpm: lockfile alias path traversal and overwrite vulnerability

A crafted lockfile alias could be joined directly under a hoisted node_modules directory, allowing traversal aliases to escape that directory or reserved aliases like .bin or .pnpm to overwrite pnpm-owned layout. The patch validates package-name semantics and path containment before graph insertion or filesystem work.

Users of pnpm and pacquet who install dependencies from lockfiles that may contain malicious aliases.

Update pnpm to the patched version as soon as it is released, or apply the private patch from the advisory's temporary fork.