Skip to content
This repository was archived by the owner on Aug 5, 2025. It is now read-only.

fix(deps): update dependency jszip to v3 [security] #233

Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency jszip to v3 [security] #233

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 10, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
jszip 2.6.1 -> 3.8.0 age confidence

GitHub Vulnerability Alerts

CVE-2021-23413

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

CVE-2022-48285

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.

Release Notes

Stuk/jszip (jszip)

v3.8.0

Compare Source

  • Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

v3.7.1

Compare Source

  • Fix build of dist files.
    • Note: this version ensures the changes from 3.7.0 are actually included in the dist files. Thanks to Evan W for reporting.

v3.7.0

Compare Source

  • Fix: Use a null prototype object for this.files (see #​766)
    • This change might break existing code if it uses prototype methods on the .files property of a zip object, for example zip.files.toString(). This approach is taken to prevent files in the zip overriding object methods that would exist on a normal object.

v3.6.0

Compare Source

  • Fix: redirect main to dist on browsers (see #​742)
  • Fix duplicate require DataLengthProbe, utils (see #​734)
  • Fix small error in read_zip.md (see #​703)

v3.5.0

Compare Source

  • Fix 'End of data reached' error when file extra field is invalid (see #​544).
  • Typescript definitions: Add null to return types of functions that may return null (see #​669).
  • Typescript definitions: Correct nodeStream's type (see #​682)
  • Typescript definitions: Add string output type (see #​666)

v3.4.0

Compare Source

  • Add Typescript type definitions (see #​601).

v3.3.0

Compare Source

  • Change browser module resolution to support Angular packager (see #​614).

v3.2.2

Compare Source

  • No public changes, but a number of testing dependencies have been updated.
  • Tested browsers are now: Internet Explorer 11, Chrome (most recent) and Firefox (most recent). Other browsers (specifically Safari) are still supported however testing them on Saucelabs is broken and so they were removed from the test matrix.

v3.2.1

Compare Source

  • Corrected built dist files

v3.2.0

Compare Source

  • Update dependencies to reduce bundle size (see #​532).
  • Fix deprecated Buffer constructor usage and add safeguards (see #​506).

v3.1.5

Compare Source

  • Fix IE11 memory leak (see #​429).
  • Handle 2 nodejs deprecations (see #​459).
  • Improve the "unsupported format" error message (see #​461).
  • Improve webworker compatibility (see #​468).
  • Fix nodejs 0.10 compatibility (see #​480).
  • Improve the error without type in async() (see #​481).

v3.1.4

Compare Source

  • consistently use our own utils object for inheritance (see #​395).
  • lower the memory consumption in generate* with a lot of files (see #​449).

v3.1.3

Compare Source

  • instanceof failing in window / iframe contexts (see #​350).
  • remove a copy with blob output (see #​357).
  • fix crc32 check for empty entries (see #​358).
  • fix the base64 error message with data uri (see #​359).

v3.1.2

Compare Source

  • fix support of nodejs process.platform in generate* methods (see #​335).
  • improve browserify/webpack support (see #​333).
  • partial support of a promise of text (see #​337).
  • fix streamed zip files containing folders (see #​342).

v3.1.1

Compare Source

  • Use a hard-coded JSZip.version, fix an issue with webpack (see #​328).

v3.1.0

Compare Source

  • utils.delay: use macro tasks instead of micro tasks (see #​288).
  • Harden base64 decode (see #​316).
  • Add JSZip.version and the version in the header (see #​317).
  • Support Promise(Blob) (see #​318).
  • Change JSZip.external.Promise implementation (see #​321).
  • Update pako to v1.0.2 to fix a DEFLATE bug (see #​322).

v3.0.0

Compare Source

This release changes a lot of methods, please see the upgrade guide.

  • replace sync getters and generate() with async methods (see #​195).
  • support nodejs streams (in file() and generateAsync()).
  • support Blob and Promise in file() and loadAsync() (see #​275).
  • add support.nodestream.
  • zip.filter: remove the defensive copy.
  • remove the deprecated API (see #​253).
  • type is now mandatory in generateAsync().
  • change the createFolders default value (now true).
  • Dates: use UTC instead of the local timezone.
  • Add base64 and array as possible output type.
  • Add a forEach method.
  • Drop node 0.8 support (see #​270).

v2.7.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Nov 10, 2022
@renovate renovate bot changed the title fix(deps): update dependency jszip to v2.7.0 [security] Update dependency jszip to v2.7.0 [SECURITY] Dec 17, 2022
@renovate renovate bot changed the title Update dependency jszip to v2.7.0 [SECURITY] fix(deps): update dependency jszip to v2.7.0 [security] Dec 17, 2022
@renovate renovate bot changed the title fix(deps): update dependency jszip to v2.7.0 [security] fix(deps): update dependency jszip to v2.7.0 [security] - autoclosed Dec 21, 2022
@renovate renovate bot closed this Dec 21, 2022
@renovate renovate bot deleted the renovate/npm-jszip-vulnerability branch December 21, 2022 03:09
@renovate renovate bot changed the title fix(deps): update dependency jszip to v2.7.0 [security] - autoclosed fix(deps): update dependency jszip to v2.7.0 [security] Dec 21, 2022
@renovate renovate bot reopened this Dec 21, 2022
@renovate renovate bot restored the renovate/npm-jszip-vulnerability branch December 21, 2022 05:05
@renovate renovate bot force-pushed the renovate/npm-jszip-vulnerability branch from 7e5ed10 to dd52464 Compare February 9, 2023 05:08
@renovate renovate bot changed the title fix(deps): update dependency jszip to v2.7.0 [security] fix(deps): update dependency jszip to v3 [security] Feb 9, 2023
@renovate renovate bot changed the title fix(deps): update dependency jszip to v3 [security] fix(deps): update dependency jszip to v3 [security] - autoclosed Feb 12, 2023
@renovate renovate bot closed this Feb 12, 2023
@renovate renovate bot deleted the renovate/npm-jszip-vulnerability branch February 12, 2023 03:06
@renovate renovate bot changed the title fix(deps): update dependency jszip to v3 [security] - autoclosed fix(deps): update dependency jszip to v3 [security] Feb 12, 2023
@renovate renovate bot reopened this Feb 12, 2023
@renovate renovate bot restored the renovate/npm-jszip-vulnerability branch February 12, 2023 04:21
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant