pdm: Path traversal in InstallDestination.write_to_fs() allows arbitrary file write

InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe _path_with_destdir() (which validates via Path.resolve() + is_relative_to()) with a bare os.path.join() that performs no path validation. A malicious wheel with traversal entries can write arbitrary files.

Users of pdm who install packages from untrusted sources, as a malicious wheel can write arbitrary files via path traversal.

Apply the fix from pull request #3787 immediately, or avoid installing untrusted wheels until patched.