fix: zip inflate with yauzl on node v24.16.0

[deepak1556]

Followup to #316661

Node.js v24.16.0 made Readable.prototype.pause()/resume() a no-op once the stream is marked destroyed (nodejs/node#62557). yauzl fd-slicer sets self.destroyed = true before self.push(null) at end-of-range, so once Node 24.16 sees the destroyed flag, zlib never flushes its tail and never emits 'end'.

npm run electron (build/lib/electron.ts → @vscode/gulp-electron → gulp-vinyl-zip → yauzl) silently produces a
broken .build/electron containing only a handful of files: the first large compressed entry hangs forever, and the
build exits with a corrupt Electron bundle.

The fix landed upstream in yauzl 3.3.1 (thejoshwolfe/yauzl#170), which rewrites the vendored fd-slicer to use the proper _destroy(cb) contract.

Audit of yauzl consumers in the repo (by copilot)

Direct callers:

• src/vs/base/node/zip.ts
  Uses: open(path, { lazyEntries }, cb), Entry, ZipFile types, zipfile.openReadStream(entry, cb), zipfile.readEntry(), events 'entry'/'close'/'error'. All present and unchanged in v3.
• build/azure-pipelines/common/publish.ts
• build/azure-pipelines/common/downloadCopilotVsix.ts
  Both use: yauzl.open(zipPath, { lazyEntries: true, autoClose: true }, cb) and zipfile.openReadStream(entry, cb). Both unchanged in v3.

Indirect callers (node_modules):

• @vscode/ripgrep/lib/download.js — yauzl.open(...openReadStream...)
• extract-zip/index.js — yauzl.open(...openReadStream...)
• gulp-vinyl-zip/lib/src/index.js — yauzl.fromBuffer/open + openReadStream
• @vscode/vsce/out/zip.js — yauzl.open(...openReadStream...)

API contract: v2 -> v3 is safe for every caller above

yauzl 3.x removed only legacy stuff that no caller in this repo relies on:

• Drops support for Node <12.
• Removes the external fd-slicer dependency; vendors a small internal one. None of our callers touch fd-slicer directly.
• decodeStrings: false is no longer auto-enabled when strictFileNames is true; our callers do not pass either option, so default behavior is unchanged.
• The public surface used by every caller above —
  open(path, options?, cb),
  fromBuffer(buffer, options?, cb),
  dosDateTimeToDate(date, time),
  ZipFile: readEntry(), openReadStream(entry, options?, cb),
  events 'entry'/'end'/'close'/'error',
  Entry: fileName, compressionMethod, compressedSize, uncompressedSize, relativeOffsetOfLocalHeader,
  getLastModDate(), lazyEntries, autoClose options is identical between 2.x and 3.x.
• @types/yauzl stays compatible: v3 did not remove or rename any exported type used by src/vs/base/node/zip.ts.

[Copilot]

Pull request overview

Updates yauzl to ^3.3.1 across the root, build/, and remote/ package manifests (with matching overrides) to pick up the upstream fix that makes the vendored fd-slicer use the proper _destroy(cb) contract. This unblocks npm run electron and any zip extraction path on Node v24.16.0+, where Readable.pause()/resume() becomes a no-op once a stream is marked destroyed, causing yauzl 2.x to hang mid-inflate.

Changes:

• Bump yauzl from ^3.0.0/^2.10.0 to ^3.3.1 in root, build/, and remote/ package.json, including adding yauzl to each overrides block so nested consumers (e.g. gulp-vinyl-zip, extract-zip, @vscode/ripgrep, @vscode/vsce) all resolve to 3.3.1.
• Regenerate lockfiles to resolve top-level yauzl@3.3.1 and remove the previously-nested old yauzl/fd-slicer copies.

Reviewed changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
package.json	Bumps yauzl dep to ^3.3.1 and adds matching root override.
package-lock.json	Resolves top-level yauzl@3.3.1; removes nested old yauzl and fd-slicer entries from @vscode/ripgrep, extract-zip, and gulp-vinyl-zip.
build/package.json	Bumps build yauzl dep from ^2.10.0 to ^3.3.1 and adds override.
build/package-lock.json	Updates yauzl to 3.3.1 and drops the fd-slicer transitive dep.
remote/package.json	Bumps yauzl to ^3.3.1 and adds override (keeps versions aligned with root for hygiene check).
remote/package-lock.json	Resolves yauzl@3.3.1 at the top level.

Files not reviewed (2)

• build/package-lock.json: Language not supported
• remote/package-lock.json: Language not supported