CVE-2026-31988 medium severity vulnerability in yauzl 2.10.0 (incorrectly reported)

[MikeMcC399]

Current behavior

npm audit reports a moderate severity vulnerability CVE-2026-31988 (GHSA-gmq8-994r-jv83) in the npm module yauzl<3.2.1:

$ npm audit
# npm audit report

yauzl  <3.2.1
Severity: moderate
yauzl contains an off-by-one error - https://github.com/advisories/GHSA-gmq8-994r-jv83
fix available via `npm audit fix --force`
Will install cypress@0.0.1, which is a breaking change
node_modules/yauzl
  cypress  >=0.1.0
  Depends on vulnerable versions of extract-zip
  Depends on vulnerable versions of yauzl
  node_modules/cypress
  extract-zip  *
  Depends on vulnerable versions of yauzl
  node_modules/extract-zip

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Desired behavior

Installing Cypress should not show any vulnerabilities when running npm audit.

Test code to reproduce

cd $(mktemp -d)
npm install cypress
npm audit

Cypress Version

15.12.0

Debug Logs

Other

• yauzl@2.10.0 was released in Jul 2018
  • it is used as a direct dependency in cli/package.json
  • and as a transient dependency of extract-zip@2.0.1, current latest version, published June 2020
• yauzl Change History

[alexsch01]

Regarding this, I just opened github/advisory-database#7159

[MikeMcC399]

The original article https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash says that the vulnerability was introduced in 3.2.0.

I would therefore currently ignore this vulnerability warning and expect that the advisory database & vulnerability detection would be updated accordingly.