pnpm: malicious lockfile bypass via auto-switching

pnpm's automatic package-manager version switching now re-resolves repository-provided env-lockfile metadata before install and execution, preventing a malicious repository from committing poisoned package-manager lockfile entries that bypass fresh resolution and lead to arbitrary code execution.

Users running pnpm directly in repositories with package-manager auto-switching enabled; affected packages are pnpm and @pnpm/installing.env-installer.

Update pnpm to the patched version once released, or disable automatic package-manager switching in untrusted repositories.