This suggests one should just upload a tar rather than a compressed file. Makes sense because one can scan the contents for malicious files without risking a decompressor bug.

BTW npm decompressed all packages anyhow because it lets you view the contents these days on its website.