Update tar-fs dependency to address security vulnerabilities

[TastyPi]

tar-fs 2.1.3 also has security vulnerabilities https://nvd.nist.gov/vuln/detail/CVE-2025-59343

Fortunately, dependabot already has a fix ready to go #814

[TastyPi]

Is there a reason the dependency on tar-fs is "tar-fs": "~2.1.3" instead of "tar-fs": "^2.1.3"? If it was the latter, we could update the package independently instead of having to wait for fixes here.

[apocas]

v4.0.9 published