Open
Description
The following report is provided by NPM audit when using the latest version of decompress package (v4.2.1):
file-type <16.5.4
Severity: moderate
file-type vulnerable to Infinite Loop via malformed MKV file - https://github.com/advisories/GHSA-mhxj-85r3-2x55
node_modules/decompress-tar/node_modules/file-type
node_modules/decompress-tarbz2/node_modules/file-type
node_modules/decompress-targz/node_modules/file-type
node_modules/decompress-unzip/node_modules/file-type
decompress-tar >=4.0.0
Depends on vulnerable versions of file-type
node_modules/decompress-tar
decompress-tarbz2 >=4.0.0
Depends on vulnerable versions of file-type
node_modules/decompress-tarbz2
decompress >=4.0.0
Depends on vulnerable versions of decompress-tarbz2
node_modules/decompress
decompress-targz >=4.0.0
Depends on vulnerable versions of file-type
node_modules/decompress-targz
decompress-unzip >=4.0.1
Depends on vulnerable versions of file-type
node_modules/decompress-unzip
More description about the problem is provided here: GHSA-mhxj-85r3-2x55
The fix was implemented in file-type v16.5.4, so probably file-type should just be bumped in sub-packages: decompress-tar, decompress-tarbz2, decompress-targz, decompress-unzip.
Metadata
Metadata
Assignees
Labels
No labels