pnpm: Path traversal via transitive dependency alias allows symlink replacement

pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments, which during install is used as a filesystem path when linking dependency nodes, enabling symlink replacement of project paths (e.g., .git/hooks) with attacker-controlled directories.

All users of pnpm who run `pnpm install --ignore-scripts` and install packages with transitive dependencies that have malicious aliases.

Update pnpm to a patched version as soon as one is available; in the meantime, avoid installing untrusted packages or use a lockfile and verify dependency aliases.