Not sure why this was failing on my system, but this fixes it.

Previously, the path reservation system, which defends against unicode
path name collisions (the subject of a handful of past CVE issues), was
using NFKD normalization internally to determine of two paths would be
likely to reference the same file on disk.

This has the weird effect of normalizing things like `℀` into simple
decomposed character strings, for example `a/c`. These can contain
slashes and double-dot sections, which means that the path reservations
may end up reserving more (or different) paths than intended.

Thankfully, tar was already *extracting* properly, even if the path
reservations collided, and these collisions resulted in tar being *more*
aggressive than it should be in restricting parallel extraction, rather
than less. That's a good direction to err in, for security, but also,
made tar less efficient than it could be in some edge cases.

Using NFD normalization, unicode characters are not decomposed in
compatibility mode, but still result in matching path reservation keys
as intended.

This does not cause any change in observed behavior, other than allowing
some files to be extracted in parallel where it is provably safe to do
so.

Credit: discovered by @Sim4n6. This did not result in a juicy security
vulnerability, but it sure looked like one at first. They were extremely
patient, thorough, and persistent in trying to pin this down to a POC
and CVE. There is very little reward or visibility when a security
researcher finds a bug that doesn't result in a security disclosure, but
the attempt often results in improvements to the project.

PR-URL: #391
Credit: @JamieMagee
Close: #391
Reviewed-by: @isaacs

When unpacking, only infer brotli compression from the filename if the
first 512 bytes are an invalid tar header (or the stream is less than
512 bytes)

While Brotli doesn't give us magic header bytes like gzip, we can be
reasonably sure that a .tbr file starting with 512 bytes of valid tar
data is almost certainly not a brotli compressed archive.

And a .tbr file starting with the magic gzip bytes is almost certainly a
gzip archive, and not brotli, despite what the filename says.

In all cases, if explicit boolean or object values appear in the options
for either gzip or brotli, we respect that, and ignore the filename.

Will replace with prettier at some point, but for now, whatever.

Fix: https://github.com/isaacs/node-tar/security/advisories/GHSA-hr8v-f3j8-8w2m

This sets the limit at 1024 subfolders nesting by default, but that can
be dropped down, or set to Infinity to remove the limitation.