> If you rely on stable archives for security (ensuring you don’t accidentally trigger a tarbomb, for example), we recommend you switch to release assets instead of using source downloads.
Isn't that actually the only way you could get a zipbomb? git-archive will never generate a zipbomb...