chore(deps): bump unzipper 0.10 → 0.12 to clear deprecation

[senoff]

Original Problem

unzipper v0.10.x shows a deprecation notice on npm install for downstream consumers. v0.12 is the current stable release.

Cause

unzipper@0.10.11 was pinned; the 0.10 line is no longer maintained. v0.12 clears the deprecation warning.

Fix

Bumped unzipper from ^0.10.11 to ^0.12.3 in package.json. Ran npm install --legacy-peer-deps to update package-lock.json.

The only unzipper usage is lib/stream/xlsx/workbook-reader.js — the streaming XLSX reader. The unzipper.Open.buffer() / unzipper.Parse() API surface used there is unchanged in v0.12.

Files changed

• package.json — unzipper version string
• package-lock.json — updated unzipper and its dependency tree

Test Run

Runtime smoke test (AGENTS.md Rule 7): loaded spec/integration/data/fibonacci.xlsx via wb.xlsx.readFile() (which uses the streaming unzipper path). Confirmed sheet name and row count correct. Passed.

Sheet name: fib
Row count: 19
unzipper smoke test: PASS

Note: lock file also shows normalization of dev: true flags for several transitive devDependencies (glob, minimatch, etc.) — these are lock file metadata corrections, not behavioral changes.

Cross-PR check

No other open senoff PR touches package.json or package-lock.json. fast-csv bump is in a separate PR per AGENTS.md Rule 8.

Excel/soffice verification

Not applicable — dep bump only, no XLSX serialization path touched directly. The smoke test covers the streaming reader (unzipper) code path.

grace-review summary

openai:gpt-5.5 — No defects found. gemini — MEDIUM: unverified behavioral changes. Addressed: smoke test loads a real .xlsx file through the unzipper path and confirms correct output. LOW: dev: true flag changes in lockfile. Expected: npm install normalizes lock file metadata for devDependencies; no production impact.

Note: committed with --no-verify per AGENTS.md Rule 1.