feat: support strictValidateTarballPkg

[elrrrrrrr]

Validate the manifest and tarball info to prevent contamination during consumption, closes #542.

1. 🔨 Added the "strictValidateTarballPkg" mode to enable validation, only applicable to the slef registry scenario.
2. 🧶 When the configuration is enabled, validate the relevant fields during publishing, currently only validating the fields affecting consumption.
3. ♻️ No corrective actions will be taken for existing scenario data.

---

发布时校验 manifest 和 tarball 字段是否陪陪，防止消费时被污染 closes #542

1. 🔨 新增 strictValidateTarballPkg 配置，仅对在发布当前 registry 场景下生效
2. 🧶 配置开启时，发布时校验相关字段，目前仅校验影响消费相关字段
3. ♻️ 存量场景数据不做订正处理

[codecov]

Codecov Report

Merging #546 (f56ec9d) into master (ab2fde7) will decrease coverage by 0.06%.
The diff coverage is 95.55%.

@@            Coverage Diff             @@
##           master     #546      +/-   ##
==========================================
- Coverage   97.02%   96.96%   -0.06%     
==========================================
  Files         174      174              
  Lines       16588    16632      +44     
  Branches     2177     2181       +4     
==========================================
+ Hits        16095    16128      +33     
- Misses        493      504      +11     

Impacted Files	Coverage Δ
app/common/PackageUtil.ts	97.61% <90.90%> (-1.42%)	⬇️
app/port/config.ts	100.00% <100.00%> (ø)
...controller/package/SavePackageVersionController.ts	100.00% <100.00%> (ø)
config/config.default.ts	88.48% <100.00%> (+0.06%)	⬆️

... and 2 files with indirect coverage changes

[fengmk2]

应该不是走这种模式，data 是 buffer，走 buffer concat ，要不然有机会导致 json 最终拼接出来是错误的

[fengmk2]

entry 是一个 stream？参考 https://github.com/node-modules/urllib/blob/master/test/utils.ts#L14

[elrrrrrrr]

使用 await stream 的方式来拼接 Buffer，替换了原有方式。

由于在 onentry 才能拿到对应的 stream，还是使用了 Promise 来返回异步结果。