Skip to content

chore(deps): update dependency file-type to v21 [security]#618

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-file-type-vulnerability
Open

chore(deps): update dependency file-type to v21 [security]#618
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-file-type-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 11, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
file-type ^16.5.4^21.0.0 age confidence

file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

CVE-2026-31808 / GHSA-5v7r-6r5c-r473

More information

Details

Impact

A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever.

Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.

Patches

Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

Workarounds

Validate or limit the size of input buffers before passing them to file-type, or run file type detection in a worker thread with a timeout.

References
  • Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f
Reporter

crnkovic@lokvica.com

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sindresorhus/file-type (file-type)

v21.3.1

Compare Source


v21.3.0

Compare Source

  • Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#​779) d223491

v21.2.0

Compare Source


v21.1.1

Compare Source


v21.1.0

Compare Source


v21.0.0

Compare Source

Breaking
  • Require Node.js 20 24aec1f
  • Drop Adobe Illustrator (.ai) detection support (#​743) af169f3
  • Correct Matroska (video) MIME-type to formal IANA registration (#​753) f53f5ff
  • Correct FLAC MIME-type to formal IANA registration (#​755) b9fda36
  • Correct Apache Parquet MIME-type to formal IANA registration (#​748) 98e3f8e
  • Correct Apache Arrow MIME-type to formal IANA registration (#​754) 7184775
Improvements
Fixes

v20.5.0

Compare Source

  • Add support Office PowerPoint 2007 (macro-enabled) slide show (#​747) f1b4c7a

v20.4.1

Compare Source

  • Add workaround for using bundler as the module-resolution in TypeScript (#​744) 90bfe33

v20.4.0

Compare Source


v20.3.0

Compare Source


v20.2.0

Compare Source


v20.1.0

Compare Source


v20.0.1

Compare Source


v20.0.0

Compare Source

Breaking
  • Drop MIME-type and extension enumeration in types (#​693) 0ff11c6
  • Remove NodeFileTypeParser in favor of using FileTypeParser on all platforms (#​707) ff8eed8
Improvements
Fixes

v19.6.0

Compare Source

v19.5.0

Compare Source

v19.4.1

Compare Source

  • Fix passing options to fileTypeStream in default entry point (#​653) ea314a4

v19.4.0

Compare Source

v19.3.0

Compare Source

v19.2.0

Compare Source

v19.1.1

Compare Source

  • Fix Node.js entry point export fileTypeFromTokenizer (#​639) 20fdba7

v19.1.0

Compare Source

Release notes

  • Please note that fileTypeFromBlob(blob) is streaming the Blob instead of buffering, which require at least Node.js ≥ 20.

v19.0.0

Compare Source

Breaking
  • Require Node.js 18 7f4b30b
  • Use mime type audio/wav instead of audio/vnd.wave for .wav files (#​620) c7c923c

v18.7.0

Compare Source

v18.6.0

Compare Source

v18.5.0

Compare Source

v18.4.0

Compare Source

v18.3.0

Compare Source

v18.2.1

Compare Source

v18.2.0

Compare Source

v18.1.0

Compare Source

Improvements
Fixes

v18.0.0

Compare Source

Breaking

v17.1.6

Compare Source

v17.1.5

Compare Source

  • Fix PDF detection in some cases a0c24eb

v17.1.4

Compare Source

v17.1.3

Compare Source

v17.1.2

Compare Source

v17.1.1

Compare Source

v17.1.0

Compare Source

v17.0.2

Compare Source

  • Prevent "Concurrent read operation" error to be thrown in some cases while reading from a stream (#​510) 565f7f3

v17.0.1

Compare Source

  • Update strtok3 & token-types dependencies for explicit node:buffer imports (#​507) b27fb5f

v17.0.0

Compare Source

Breaking
  • Require Node.js 12.20 (#​472) 826b4ad
  • This package is now pure ESM. Please read this.
  • Remove the /browser sub-export 287e361
    • Browser support is now included by default.
  • Moved from a default export to named exports:
    require('file-type').fromBufferimport {fileTypeFromBuffer} from 'file-type'
    require('file-type').fromFileimport {fileTypeFromFile} from 'file-type'
    require('file-type').fromStreamimport {fileTypeFromStream} from 'file-type'
    require('file-type').fromTokenizerimport {fileTypeFromTokenizer} from 'file-type'
    require('file-type').streamimport {fileTypeStream} from 'file-type'
    require('file-type').extensionsimport {supportedExtensions} from 'file-type'
    require('file-type').mimeTypesimport {supportedMimeTypes} from 'file-type'
Improvements
Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Mar 11, 2026
@renovate
renovate Bot force-pushed the renovate/npm-file-type-vulnerability branch from 7ddd79a to ed8e6a0 Compare March 13, 2026 14:56
@renovate renovate Bot changed the title chore(deps): update dependency file-type to v21 [security] chore(deps): update dependency file-type to v21 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate
renovate Bot deleted the renovate/npm-file-type-vulnerability branch March 27, 2026 00:44
@renovate renovate Bot changed the title chore(deps): update dependency file-type to v21 [security] - autoclosed chore(deps): update dependency file-type to v21 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate
renovate Bot force-pushed the renovate/npm-file-type-vulnerability branch 2 times, most recently from ed8e6a0 to ad18c64 Compare March 30, 2026 18:13
@renovate renovate Bot changed the title chore(deps): update dependency file-type to v21 [security] chore(deps): update dependency file-type to v21 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency file-type to v21 [security] - autoclosed chore(deps): update dependency file-type to v21 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate
renovate Bot force-pushed the renovate/npm-file-type-vulnerability branch 3 times, most recently from bc87321 to fc2ab93 Compare May 3, 2026 19:35
@renovate
renovate Bot force-pushed the renovate/npm-file-type-vulnerability branch from fc2ab93 to 62249fe Compare June 8, 2026 03:44
@renovate renovate Bot changed the title chore(deps): update dependency file-type to v21 [security] chore(deps): update dependency file-type to v21 [security] - autoclosed Jul 1, 2026
@renovate renovate Bot closed this Jul 1, 2026
@renovate renovate Bot changed the title chore(deps): update dependency file-type to v21 [security] - autoclosed chore(deps): update dependency file-type to v21 [security] Jul 4, 2026
@renovate renovate Bot reopened this Jul 4, 2026
@renovate
renovate Bot force-pushed the renovate/npm-file-type-vulnerability branch 2 times, most recently from 62249fe to 6b774f9 Compare July 4, 2026 04:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants