@kodawah raised the problem that xz.Writer.Close doesn't close the
underlying writer. Instead of changing the behavior of the Writer I
added WriteCloserStack in a new package to address the problem.

fixes: #61

This commit addresses security issue GHSA-jc7w-c686-c4v9.

The mitigating measures are described for the Reader type and I added a
TestZeroPrefixIssue function to test the mitigations.

// # Security concerns
//
// Note that LZMA format doesn't support a magic marker in the header. So
// [NewReader] cannot determine whether it reads the actual header. For instance
// the LZMA stream might have a zero byte in front of the reader, leading to
// larger dictionary sizes and file sizes. The code will detect later that there
// are problems with the stream, but the dictionary has already been allocated
// and this might consume a lot of memory.
//
// Version 0.5.14 introduces built-in mitigations:
//
//   - The [ReaderConfig] DictCap field is now interpreted as a limit for the
//     dictionary size.
//   - The default is 2 Gigabytes (2^31 bytes).
//   - Users can check with the [Reader.Header] method what the actual values are in
//     their LZMA files and set a smaller limit using [ReaderConfig].
//   - The dictionary size doesn't exceed the larger of the file size and
//     the minimum dictionary size. This is another measure to prevent huge
//     memory allocations for the dictionary.
//   - The code supports stream sizes only up to a pebibyte (1024^5).

The commit includes preparations for the release v0.5.14 including go
fmt, release notes and updates to TODO.md.