pnpm and pacquet stop expanding env var placeholders in project config files

pnpm and pacquet no longer expand environment variable placeholders from project .npmrc or pnpm-workspace.yaml into registry URLs, scoped registry URLs, URL-scoped keys, or auth values. User-level config still expands.

All users of pnpm or pacquet who run dependency commands in repositories with malicious .npmrc or pnpm-workspace.yaml files containing ${ENV_VAR} placeholders in registry or auth settings.

Update pnpm to the patched version once released, or apply the patch from the shared branch to prevent secret exfiltration via registry requests.