fix(deps): update dependency file-type to v21 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
file-type	^19.0.0 → ^21.0.0

---

file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

CVE-2026-31808 / GHSA-5v7r-6r5c-r473

More information

Details

Impact

A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever.

Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.

Patches

Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

Workarounds

Validate or limit the size of input buffers before passing them to file-type, or run file type detection in a worker thread with a timeout.

References

• Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f

Reporter

crnkovic@lokvica.com

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473
• https://nvd.nist.gov/vuln/detail/CVE-2026-31808
• https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f
• https://github.com/advisories/GHSA-5v7r-6r5c-r473

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sindresorhus/file-type (file-type)

v21.3.1

Compare Source

• Fix infinite loop in ASF parser on malformed input (GHSA-5v7r-6r5c-r473) 319abf8

---

v21.3.0

Compare Source

• Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#​779) d223491

---

v21.2.0

Compare Source

• Add support for SPSS data files (#​787) 889f638
• Add support for JMP (#​784) 093dba0

---

v21.1.1

Compare Source

• Fix handling of partial Gunzip file (#​783) 710e053

---

v21.1.0

Compare Source

• Add support for .tar.gz (gunzipped tarball file) (#​763) eda03a7
• Add support for Windows registry (.reg) files 0db61ec 7d2ddcf
• Add support for Windows registry hive file (.dat) (#​767) f8d62be
• Fix: Handle partial unzip (#​773) 7ad3a90

---

v21.0.0

Compare Source

Breaking

• Require Node.js 20 24aec1f
• Drop Adobe Illustrator (.ai) detection support (#​743) af169f3
• Correct Matroska (video) MIME-type to formal IANA registration (#​753) f53f5ff
• Correct FLAC MIME-type to formal IANA registration (#​755) b9fda36
• Correct Apache Parquet MIME-type to formal IANA registration (#​748) 98e3f8e
• Correct Apache Arrow MIME-type to formal IANA registration (#​754) 7184775

Improvements

• Allow options to be directly passed to exported functions (#​752) d264029
• Add mpegOffsetTolerance option (#​646) c40840a

Fixes

• Fix detection of some PAX TAR formats (#​762) 574d0d6

---

v20.5.0

Compare Source

• Add support Office PowerPoint 2007 (macro-enabled) slide show (#​747) f1b4c7a

---

v20.4.1

Compare Source

• Add workaround for using bundler as the module-resolution in TypeScript (#​744) 90bfe33

---

v20.4.0

Compare Source

• Add support for OpenType Font Collection (TTC) (#​737) 3e576a6

---

v20.3.0

Compare Source

• Add node subpath export (#​741) 8d39f66
• Allow require to load file-type as ES Module (#​736) 8d39f66

---

v20.2.0

Compare Source

• Add support for RealMedia (#​740) d05d49d

---

v20.1.0

Compare Source

• Improve WebP detection (#​733) ef486f1

---

v20.0.1

Compare Source

• Fix detecting small PDF file (#​728) f34e9f7

---

v20.0.0

Compare Source

Breaking

• Drop MIME-type and extension enumeration in types (#​693) 0ff11c6
• Remove NodeFileTypeParser in favor of using FileTypeParser on all platforms (#​707) ff8eed8

Improvements

• Give API access to FileTypeParser#detectors (#​704) 7e72bbc
• Improve Nikon RAW NEF (Tiff) format detection (#​670) cf6fc1e
• Add support for Java archive (.jar) (#​719) 8651809
• Add support for MSOffice macro-enabled docs and templates (#​720) 7fe5667
• Add support for OpenDocument graphics and templates (#​718) 4db407d
• Add support for Microsoft Excel template with macros (.xltm) (#​714) 1fe621a
• Add support for Microsoft Word template (.dotx) (#​713) 643ef78
• Add support for Microsoft Excel template (.xltx) (#​712) 0dab3e0
• Add support for Microsoft PowerPoint template ( .potx) (#​710) f978619
• Add support for ZIP decompression using @tokenizer/inflate (#​695) 399b0f1
• Add support for .lz4 file format (#​706) 74acf94
• Add support for format .drc, Google's Draco 3D Data Compression (#​702) e99257d

Fixes

• Fix code sequence "File Type Box" detection (#​705) 7d4dd8d

---

v19.6.0

Compare Source

• Add ability to abort async operations (#​667) 5ce98f3
• Add support for APK (#​679) 7b10012
• Fix Opus MIME-type (#​682) 4dcb8c5
• Fix: Ensure web-stream is released after detection (#​680) 9945877

v19.5.0

Compare Source

• Add support for WebVTT (#​658) 21ed763

v19.4.1

Compare Source

• Fix passing options to fileTypeStream in default entry point (#​653) ea314a4

v19.4.0

Compare Source

• Add support for web streams for fileTypeStream() (#​649) 2000141
• Fix options in combination with fileTypeStream() (#​650) bd3b5a4

v19.3.0

Compare Source

• Add support for Microsoft Visio files (#​647) 2744be7

v19.2.0

Compare Source

• Add NodeFileTypeParser#fromFile() (#​644) 9d2ee02
• Update dependencies (#​645) 6440b3d

v19.1.1

Compare Source

• Fix Node.js entry point export fileTypeFromTokenizer (#​639) 20fdba7

v19.1.0

Compare Source

• Replace Buffer usage with Uint8Array (#​633) 00e051b
• Add support for reading from a web stream (#​635) b815b5e

Release notes

• Please note that fileTypeFromBlob(blob) is streaming the Blob instead of buffering, which require at least Node.js ≥ 20.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

---

🐋 🤖

🔃

A docker image for this PR is being built!

docker pull freyrcli/freyrjs-git:pr-777

Base (master)

---

What's this?

This docker image is a self-contained sandbox that includes all the patches made in this PR. Allowing others to easily use your patches without waiting for it to get merged and released officially.

For more context, see https://github.com/miraclx/freyr-js#docker-development.