jszip - npm Package Compare versions
Comparing version 3.7.1 to 3.8.0
@@ -7,6 +7,10 @@ --- | ||
| ### v3.8.0 2022-03-30 | ||
| - Santize filenames when files are loaded with `loadAsync`, to avoid ["zip slip" attacks](https://snyk.io/research/zip-slip-vulnerability). The original filename is available on each zip entry as `unsafeOriginalName`. See the [documentation](https://stuk.github.io/jszip/documentation/api_jszip/load_async.html). Many thanks to McCaulay Hudson for reporting. | ||
| ### v3.7.1 2021-08-05 | ||
| - Fix build of `dist` files. | ||
| + Note: this version ensures the changes from 3.7.0 are actually included in the `dist` files. Thanks to Evan W for reporting. | ||
| + Note: this version ensures the changes from 3.7.0 are actually included in the `dist` files. Thanks to Evan W for reporting. | ||
@@ -13,0 +17,0 @@ ### v3.7.0 2021-07-23 |
@@ -68,2 +68,7 @@ // Type definitions for JSZip 3.1 | ||
| name: string; | ||
| /** | ||
| * Present for files loadded with `loadAsync`. May contain ".." path components that could | ||
| * result in a zip-slip attack. See https://snyk.io/research/zip-slip-vulnerability | ||
| */ | ||
| unsafeOriginalName?: string; | ||
| dir: boolean; | ||
@@ -147,2 +152,3 @@ date: Date; | ||
| createFolders?: boolean; | ||
| decodeFileName?: (bytes: string[] | Uint8Array | Buffer) => string; | ||
| } | ||
@@ -149,0 +155,0 @@ } |
@@ -48,3 +48,3 @@ 'use strict'; | ||
| // a require('package.json').version doesn't work with webpack, see #327 | ||
| JSZip.version = "3.7.1"; | ||
| JSZip.version = "3.8.0"; | ||
@@ -51,0 +51,0 @@ JSZip.loadAsync = function (content, options) { |
@@ -64,3 +64,7 @@ 'use strict'; | ||
| var input = files[i]; | ||
| zip.file(input.fileNameStr, input.decompressed, { | ||
| var unsafeName = input.fileNameStr; | ||
| var safeName = utils.resolve(input.fileNameStr); | ||
| zip.file(safeName, input.decompressed, { | ||
| binary: true, | ||
@@ -75,2 +79,5 @@ optimizedBinaryString: true, | ||
| }); | ||
| if (!input.dir) { | ||
| zip.file(safeName).unsafeOriginalName = unsafeName; | ||
| } | ||
| } | ||
@@ -77,0 +84,0 @@ if (zipEntries.zipComment.length) { |
@@ -321,2 +321,27 @@ 'use strict'; | ||
| /** | ||
| * Resolve all relative path components, "." and "..", in a path. If these relative components | ||
| * traverse above the root then the resulting path will only contain the final path component. | ||
| * | ||
| * All empty components, e.g. "//", are removed. | ||
| * @param {string} path A path with / or \ separators | ||
| * @returns {string} The path with all relative path components resolved. | ||
| */ | ||
| exports.resolve = function(path) { | ||
| var parts = path.split("/"); | ||
| var result = []; | ||
| for (var index = 0; index < parts.length; index++) { | ||
| var part = parts[index]; | ||
| // Allow the first and last component to be empty for trailing slashes. | ||
| if (part === "." || (part === "" && index !== 0 && index !== parts.length - 1)) { | ||
| continue; | ||
| } else if (part === "..") { | ||
| result.pop(); | ||
| } else { | ||
| result.push(part); | ||
| } | ||
| } | ||
| return result.join("/"); | ||
| }; | ||
| /** | ||
| * Return the type of the input. | ||
@@ -429,4 +454,4 @@ * The type will be in a format valid for JSZip.utils.transformTo : string, array, uint8array, arraybuffer. | ||
| var promise = external.Promise.resolve(inputData).then(function(data) { | ||
| var isBlob = support.blob && (data instanceof Blob || ['[object File]', '[object Blob]'].indexOf(Object.prototype.toString.call(data)) !== -1); | ||
@@ -433,0 +458,0 @@ |
| { | ||
| "name": "jszip", | ||
| "version": "3.7.1", | ||
| "version": "3.8.0", | ||
| "author": "Stuart Knightley <stuart@stuartk.com>", | ||
@@ -9,3 +9,3 @@ "description": "Create, read and edit .zip files with JavaScript http://stuartk.com/jszip", | ||
| "test-node": "qunit --require ./test/helpers/test-utils.js --require ./test/helpers/node-test-utils.js test/asserts/", | ||
| "test-browser": "grunt build && grunt test", | ||
| "test-browser": "grunt build && node test/run.js", | ||
| "lint": "grunt jshint" | ||
@@ -47,9 +47,9 @@ }, | ||
| "grunt-cli": "~1.1.0", | ||
| "grunt-contrib-connect": "~2.0.0", | ||
| "grunt-contrib-jshint": "~1.0.0", | ||
| "grunt-contrib-uglify": "~4.0.1", | ||
| "grunt-saucelabs": "Stuk/grunt-saucelabs#v10.0.0", | ||
| "http-server": "^13.0.2", | ||
| "jshint": "~2.9.1", | ||
| "jszip-utils": "~0.0.2", | ||
| "package-json-versionify": "1.0.2", | ||
| "playwright": "^1.15.2", | ||
| "qunit": "~2.9.2", | ||
@@ -56,0 +56,0 @@ "tmp": "0.0.28" |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.04%
668943
- Number of package files
- increased by4.08%
51
- Lines of code
- increased by0.93%
14380
- Number of medium supply chain risk alerts
- decreased by-100%
0