pnpm: Missing hash verification for GitHub git dependencies

pnpm does not verify the hash of dependencies fetched from codeload.github.com, allowing a compromised server or machine configuration to serve arbitrary tarballs that pnpm will install regardless of the lockfile.

Users of pnpm who rely on GitHub git dependencies (e.g., dependencies specified with git://github.com/...).

Review your lockfiles for git dependencies from GitHub and consider pinning dependencies with integrity hashes or using alternative sources until a fix is released.