Using str.startswith() has an edge case where someone can access files
outside the root directory. For example, consider the case where the
root directory is "/home/user/my-package" but some secrets are stored in
"/home/user/my-package-secrets". Evaluating a check that
"/home/user/my-package-secrets".startswith("/home/user/my-package") will
return True, but the statement's intention is that no file outside of
"/home/user/my-package" can be accessed.

Using pathlib.Path.resolve() and pathlib.Path.parents eliminates this
edge case.

4249da1 uses `pathlib.Path.resolve()` instead of `os.path.abspath()`
to canonicalize path names. `resolve()` resolves symlinks, whereas
`abspath()` does not. `resolve()` can also raise a `RuntimeError` if
infinite loops are discovered while resolving the path. There is some
concern that using `resolve()` would not be backwards compatible. This
commit switches back to `abspath()` but still uses `Path.parents` to
avoid the edge case. See PR #3595 for more details.