pnpm Tarball Extraction Skips Integrity Check When Integrity Field Missing

pnpm's tarball extraction worker does not verify integrity when the `integrity` field is absent from the lockfile resolution. This means `pnpm install --frozen-lockfile` can install altered packages without raising an integrity error if an attacker modifies the lockfile and serves tampered content.

Users of pnpm who rely on `--frozen-lockfile` for secure, reproducible installs, especially in CI/CD environments where lockfile integrity is critical.

Review your lockfiles to ensure all remote package entries include an `integrity` field. Consider using npm's `npm ci` as a temporary alternative until pnpm releases a fix.