fix(security)(utils): predictable global cache directory in /tmp enables

The cache directory is a fixed, shared path (`/tmp/ncc-cache`). On multi-user systems this can be pre-created or manipulated by another user (symlink/hardlink attacks), potentially causing cache poisoning, unintended file writes, or data leakage between builds/users depending on how cache files are later written.

Affected files: ncc-cache-dir.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>

Author: tuanaiseo

src/utils/ncc-cache-dir.js

@@ -1 +1,8 @@
-module.exports = require("os").tmpdir() + "/ncc-cache";
+const crypto = require("crypto");
+const os = require("os");
+const path = require("path");
+
+const cacheBase = process.env.XDG_CACHE_HOME || path.join(os.homedir(), ".cache");
+const projectKey = crypto.createHash("sha256").update(process.cwd()).digest("hex").slice(0, 12);
+
+module.exports = path.join(cacheBase, "ncc", projectKey);