Not really. Relative URIs are resolved based on directories, not path components (unlike Python’s os.path.abspath), so by extracting the file into a directory you’re changing the semantic meaning of the URI.
Given a relative path ./bar, on a page /foo/ it is resolved into /foo/bar, but on page /foo (notice the lack of trailing slash) it is resolved into /bar. So ./dep-0.1.0.tar.gz should resolve to a file besides pkg-0.1.tar.gz, not inside it. Which is why option 2 is correct IMO.