Security
- Fix path traversal vulnerability in extractall() that allowed zip/tar archives with ../ entries to write files outside the target directory (GHSA-76hw-p97h-883f)
- Reject symlinks, hardlinks, and special files in tar archives
- Use Python 3.12+ filter="data" for safe tar extraction when available
- Sanitize filenames from HTTP responses and URLs to prevent path traversal via /, , .., and null bytes
- Sanitize root folder name in download_folder() before building directory paths