use extract-zip and tar libraries to extract archives

[jakemac53]

TLDR

This should result in more stable and consistent archive extraction across operating systems and users machines, as opposed to assuming that tools like tar and unzip are installed.

The current approach has been broken a couple times recently and I am still not even confident the current implementation actually works on windows reliably, especially across windows versions.

Dive Deeper

This does add a fair number of package dependencies so we should discuss whether that is an issue.

Reviewer Test Plan

Install an extension which has github releases.

Testing Matrix

	🍏	🪟	🐧
npm run	❓	❓	❓
npx	❓	❓	❓
Docker	❓	❓	❓
Podman	❓	-	-
Seatbelt	❓	-	-

Linked issues / bugs

[gemini-code-assist]

Summary of Changes

Hello @jakemac53, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the archive extraction mechanism within the CLI, moving away from relying on external system utilities like tar and unzip. By integrating native Node.js libraries such as unzipper and tar, the change aims to enhance the robustness and cross-platform consistency of archive handling, especially addressing known instability issues on Windows. This internalizes the extraction process, reducing external dependencies and improving overall reliability.

Highlights

• Internal Archive Extraction: The pull request switches from using external system commands like tar and unzip to native Node.js libraries (unzipper and tar) for archive extraction.
• Improved Stability and Consistency: This change aims to provide more stable and consistent archive extraction across different operating systems, particularly on Windows, where the previous method was prone to issues.
• New Package Dependencies: Several new package dependencies have been introduced to support the internal extraction logic, as reflected in the updated package-lock.json and packages/cli/package.json.
• Enhanced Test Coverage: New unit tests have been added for the extractFile function, covering .tar.gz and .zip extraction, and ensuring proper error handling for unsupported file types.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a great step towards improving cross-platform stability by replacing system-level tar and unzip commands with JavaScript libraries. The implementation is clean and the new tests are thorough. However, I've identified a critical security vulnerability related to the use of the unzipper library, which does not protect against "zip bomb" attacks. This could expose the CLI to denial-of-service attacks when processing malicious archives.

[jakemac53]

hmmm, looks like unzipper has made some unfortunate decisions that cause errors for our builds ZJONSSON/node-unzipper#330

[github-actions]

Size Change: +143 kB (+0.81%)

Total Size: 17.7 MB

Filename	Size	Change
./bundle/gemini.js	17.7 MB	+143 kB (+0.81%)

ℹ️ View Unchanged

Filename	Size
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB
./bundle/sandbox-macos-permissive-open.sb	830 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB

_{compressed-size-action}

[mattKorwel]

@jakemac53 if you updated package.json we need to see an equivalent package lock update or we will be out of sync.