Reporting the same security issue to pnpm vs bun:
pnpm acknowledged it quickly, shipped a fix, backported it, and published an advisory.
bun never acknowledged, silently fixed this and another issue I reported, has not published advisories.
One takes security more seriously.
