fix(deps): replace extract-zip and update Netlify packages

[eduardoboucas]

CI has been failing for #8276, which I believe is caused by issues with the unmaintained extract-zip.

This mirrors that PR, doing the same bump of the Netlify dependencies, but also gets rid of extract.zip.

[github-actions]

📊 Benchmark results

Comparing with 8a07280

• Dependency count: 1,136 ⬆️ 0.18% increase vs. 8a07280
• Package size: 379 MB ⬆️ 0.04% increase vs. 8a07280
• Number of ts-expect-error directives: 355 (no change)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 05e224f9-156f-4b05-9038-a896eec2bf49

📥 Commits

Reviewing files that changed from the base of the PR and between 0c3c97f and 7058e64.

📒 Files selected for processing (1)

• src/utils/zip.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/utils/zip.ts

---

📝 Walkthrough

Summary by CodeRabbit

• Chores

  • Updated Netlify-related package dependencies.
  • Removed an unused external dependency and added a zip handling dependency with corresponding type definitions.

• Refactor

  • Reworked internal ZIP extraction for improved reliability, security (path-safety), and handling of symlinks/permissions.

Walkthrough

This PR replaces the external extract-zip dependency with a custom implementation. A new src/utils/zip.ts module exports extractZip(), which extracts zip entries using yauzl with path traversal protection, symlink support, and file permission handling. The package.json removes extract-zip and adds yauzl and @types/yauzl. Import statements in create-action.ts and registry.ts are updated to use the new local utility instead of the external package. Netlify package version constraints are also bumped.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: removing the unmaintained extract-zip dependency and updating Netlify packages.
Description check	✅ Passed	The description is related to the changeset, explaining the motivation for removing extract-zip and referencing a related PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/extract-zip-node24-hang

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/utils/zip.ts`:
- Around line 82-90: The code currently calls await fs.mkdir(destDir) before
validating that destDir/dest cannot escape resolvedDir and also writes files to
dest without guarding against symlink destinations; fix by resolving and
validating the intended target paths before any filesystem writes: compute the
absolute target (use path.resolve/resolvedDir + entry.fileName) and call
fs.realpath on the nearest existing parent to ensure the canonical target is
inside resolvedDir, only then create directories; additionally, before writing a
file at dest inside the file-extraction branch (where dest and entry.fileName
are used), detect or prevent symlink attacks by using fs.lstat to reject
existing symlinks or open files with O_NOFOLLOW (or equivalent) and fail if dest
resolves outside resolvedDir after realpath, and apply the same validation steps
used for destDir to any file writes to guarantee no writes escape resolvedDir.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d88a6526-c369-4d04-8deb-b14909d353c4

📥 Commits

Reviewing files that changed from the base of the PR and between 8a07280 and 0c3c97f.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• package.json
• src/commands/create/create-action.ts
• src/lib/functions/registry.ts
• src/utils/zip.ts