refactor: improve path handling in config, node steps, and build

[niStee]

What does this PR do

Improves code quality and readability by refactoring path handling across several modules to be more idiomatic.

Note: This PR originally started as an attempt to resolve CodeQL path traversal alerts using AI autofixes. After maintainer review, we determined those alerts were false positives given the threat model of a local CLI tool. The overly defensive security checks and suppressions were removed, and the PR was repurposed to focus purely on structural code health.

Key Changes:

• src/config.rs: Flattened the directory traversal logic to reduce unnecessary rightward drift and cached entry.path() to avoid redundant calls inside the loop.
• src/steps/node.rs: Refactored to use more idiomatic PathBuf handling.
• build.rs: Cleaned up the OUT_DIR path parsing logic to use safe, owned PathBuf representations.
• Removed redundant path component validation checks and tests that were unnecessarily testing the Rust standard library.

Standards checklist

• The PR title is descriptive
• I have read CONTRIBUTING.md
• Optional: I have tested the code myself, with the relevant tools installed. If yes, add Topgrade's output of the relevant steps.

AI involvement

Initial overly defensive fixes were generated by GitHub Copilot. The final implementation was refined manually based on maintainer feedback to focus on standard Rust refactoring rather than security suppressions.

[niStee]

There is another one:

https://github.com/niStee/topgrade/blob/b8ca6373816b1581392755bd4f641cde76542e7a/src/self_renamer.rs#L18

Uncontrolled data used in path expression.
This path depends on a user-provided value:

let exe_path = current_exe()?;

[GideonBear]

Not going to fully review yet. Can you explain individually for each case why it's dangerous?

[niStee]

Hi @GideonBear, thank you so much for the detailed review! You were right to point out that the initial commits were heavily influenced by Copilot autofixes and ended up being overly defensive. I had a fundamental misunderstanding of the threat model for a local CLI tool and of how certain standard library functions behave.

I really appreciate you highlighting these issues, particularly with regard to build.rs. Thanks to your feedback, I have learnt a lot more about Cargo's environment variables and trust model.

I have completely refactored the pull request (PR) to address the CodeQL alerts properly and remove the unnecessary precautions.

The PR is now out of draft mode. Please let me know if you think the new approach looks good!