CVE-2026-29050: melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses

An attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline[].uses to a value containing ../ sequences or an absolute path. The (*Compiled).compilePipeline function in pkg/build/compile.go passed uses directly to filepath.Join(pipelineDir, uses + ".yaml") without validating the value, so the resolved path could escape each --pipeline-dir and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its runs: block is executed via /bin/sh -c in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition.