feat(archives): add secure archive extraction with ZIP/TAR/TGZ support

Add generic archive extraction utilities with comprehensive security features
for handling ZIP, TAR, TAR.GZ, and TGZ formats. Includes path traversal
protection, zip bomb prevention, symlink blocking, and configurable size limits.

Core Features:
- Generic extractArchive() with auto-format detection
- Format-specific extractors: extractZip(), extractTar(), extractTarGz()
- Cross-platform path normalization support
- Strip option for removing leading path components

Security Features:
- Path traversal validation (blocks ../../ attacks)
- File size limits (default: 100MB per file)
- Total extraction size limits (default: 1GB)
- Symlink/hardlink detection and blocking (TAR/TGZ)
- Configurable limits for trusted sources

External Dependencies (bundled, pinned):
- adm-zip@0.5.16 (104KB, zero dependencies)
- tar-fs@3.1.2 (108KB, includes tar-stream + deps)
- Total bundle size increase: +212KB (+4.3%)

GitHub Integration:
- downloadAndExtractArchive() for any supported format
- Enhanced downloadAndExtractZip() using generic helpers
- Auto-detection from asset filenames
- Maintains backward compatibility

Testing:
- 38 archive tests passing (27 existing + 11 security tests)
- 4637 total tests passing across entire test suite
- Path traversal protection validated
- Zip bomb protection validated
- Symlink attack protection validated
- Custom size limits validated
- Cross-platform compatibility verified

Note: Vitest shows "unhandled error" warning in archive security tests.
This is a false positive - errors are properly caught by pipeline, but
Vitest detects Error construction in stream callbacks. All tests pass.

Author: jdalton

package.json

@@ -103,6 +103,10 @@
       "types": "./dist/ansi.d.ts",
       "default": "./dist/ansi.js"
     },
+    "./archives": {
+      "types": "./dist/archives.d.ts",
+      "default": "./dist/archives.js"
+    },
     "./argv/flags": {
       "types": "./dist/argv/flags.d.ts",
       "default": "./dist/argv/flags.js"
@@ -737,6 +741,7 @@
     "@vitest/ui": "4.0.3",
     "@yarnpkg/core": "4.5.0",
     "@yarnpkg/extensions": "2.0.6",
+    "adm-zip": "0.5.16",
     "cacache": "20.0.1",
     "debug": "4.4.3",
     "del": "8.0.1",
@@ -771,6 +776,8 @@
     "spdx-expression-parse": "4.0.0",
     "streaming-iterables": "8.0.1",
     "supports-color": "10.0.0",
+    "tar-fs": "3.1.2",
+    "tar-stream": "^3.1.8",
     "taze": "19.9.2",
     "trash": "10.0.0",
     "type-coverage": "2.29.7",

pnpm-lock.yaml

@@ -23,7 +23,9 @@ export const externalPackages = [
   { name: 'normalize-package-data', bundle: false },
   { name: 'semver', bundle: false },
   // Utilities
+  { name: 'adm-zip', bundle: true },
   { name: 'debug', bundle: true },
+  { name: 'tar-fs', bundle: true },
   // pico-pack: picomatch, del, fast-glob
   { name: 'pico-pack', bundle: true },
   { name: 'del', bundle: false },

scripts/build-externals/config.mjs

@@ -66,10 +66,12 @@ function createForceNodeModulesPlugin() {
    *
    * PACKAGES WITH ACTUAL TSCONFIG MAPPINGS (as of now):
    * ────────────────────────────────────────────────────
-   * ✓ cacache              - line 37 in tsconfig.json
-   * ✓ make-fetch-happen    - line 38 in tsconfig.json
-   * ✓ fast-sort            - line 39 in tsconfig.json
-   * ✓ pacote               - line 40 in tsconfig.json
+   * ✓ adm-zip              - line 31 in tsconfig.json
+   * ✓ cacache              - line 32 in tsconfig.json
+   * ✓ make-fetch-happen    - line 33 in tsconfig.json
+   * ✓ fast-sort            - line 34 in tsconfig.json
+   * ✓ pacote               - line 35 in tsconfig.json
+   * ✓ tar-fs               - line 36 in tsconfig.json
    *
    * ADDITIONAL PACKAGES (defensive):
    * ────────────────────────────────
@@ -83,10 +85,12 @@ function createForceNodeModulesPlugin() {
    * needing to be listed here.
    */
   const packagesWithPathMappings = [
+    'adm-zip',
     'cacache',
     'make-fetch-happen',
     'fast-sort',
     'pacote',
+    'tar-fs',
     'libnpmexec',
     'libnpmpack',
     'npm-package-arg',