CWE-1333 vulnerability in minimatch (dependency of glob)

[FroYo425]

archiver-utils currently uses glob@10, however that version of glob relies on minimatch@9 which has a CWE-1333 vulnerability.

Could you please update this dependency to glob@11 or higher?

This was reported 2 days ago: GHSA-3ppc-4f35-3m26

[Xenope]

Need that as well but not sure this repo is maintained anymore.

[catamphetamine]

Hi,

In case anyone's interested, I made a fork of archiver today to fix the npm security issue.

The forked code is for an unreleased (for some reason) version of archiver@8.0.0.
It has a breaking change though: the minimum supported Node.js version now is 18.

And the default export is now replaced with a named export called ZipArchive with the first argument "zip" now being omitted.

The forked package also contains other fixes such as added TypeScript definitions, removing outdated/deprecated dependencies, etc.

The forked package is available on npm as archiver-node:
https://www.npmjs.com/package/archiver-node

npm install archiver-node --save

import { ZipArchive } from 'archiver-node'

const archive = new ZipArchive({ ... options ... })

[gameroman]

If anyone is interested there is also https://github.com/node-archiver/archiver