Replace tar-stream usage with nanotar-backed tar handling

[Copilot]

This updates the tar implementation to use nanotar instead of tar-stream while preserving the existing compressing.tar API and extraction behavior. The change keeps tar/tgz/zip integration intact, including the existing path traversal and symlink protections.

• Dependency change

  • Replace the runtime tar-stream dependency with nanotar.

• Tar archive creation

  • Add a shared tar archive helper for tar creation.
  • Route tar.Stream and tar.FileStream through the new helper without changing the public API.
  • Preserve entry metadata used by the package today, including file mode handling.

• Tar extraction compatibility

  • Add a small internal tar parser used by tar.UncompressStream.
  • Preserve entry event semantics expected by the existing extraction pipeline.
  • Keep security-sensitive extraction behavior unchanged for:
    • path traversal rejection
    • symlink escape rejection
    • existing symlink path validation

• Cross-format compatibility

  • Restore TarStream subclass initialization so zip.Stream continues to work correctly after the tar refactor.

• Coverage updates

  • Reuse the new tar helper in test utilities.
  • Add a tar compressDir round-trip assertion to verify the new archive generation path.

Example of the unchanged public surface:

const compressing = require('compressing');

await compressing.tar.compressDir('/path/to/dir', '/tmp/archive.tar');
await compressing.tar.uncompress('/tmp/archive.tar', '/tmp/out');

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nanotar@​0.3.0

View full report

[codecov]

Codecov Report

❌ Patch coverage is 82.14286% with 75 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.22%. Comparing base (9c885e5) to head (6b71f3c).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
lib/tar/archive.js	77.58%	63 Missing ⚠️
lib/tar/uncompress_stream.js	88.23%	6 Missing ⚠️
lib/tar/file_stream.js	90.69%	4 Missing ⚠️
lib/tar/stream.js	95.55%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #137      +/-   ##
==========================================
- Coverage   96.41%   92.22%   -4.20%     
==========================================
  Files          19       20       +1     
  Lines        1145     1492     +347     
  Branches      294      388      +94     
==========================================
+ Hits         1104     1376     +272     
- Misses         41      116      +75     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.