Bump tar-fs devdep to fix vuln warning

Author: pimterry

package-lock.json

@@ -98,7 +98,17 @@ async function insertServer(
     });
 
     console.log(`Extracting server to ${buildPath}`);
-    await extractTarGz({ src: downloadPath, dest: buildPath });
+    await extractTarGz({
+        src: downloadPath,
+        dest: buildPath,
+        tar: {
+            ignore (_, header) {
+                // Extract only files & directories - ignore symlinks or similar
+                // which can sneak in in some cases (e.g. native dep build envs)
+                return header!.type !== 'file' && header!.type !== 'directory'
+            }
+        }
+    });
     await deleteFile(downloadPath);
 
     console.log('Server download completed');