Skip to content

build(deps): bump adm-zip from 0.5.16 to 0.6.0 in the npm_and_yarn group across 1 directory#454

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/npm_and_yarn-3605eba9ff
Open

build(deps): bump adm-zip from 0.5.16 to 0.6.0 in the npm_and_yarn group across 1 directory#454
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/npm_and_yarn-3605eba9ff

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 18, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 1 update in the / directory: adm-zip.

Updates adm-zip from 0.5.16 to 0.6.0

Release notes

Sourced from adm-zip's releases.

v0.6.0

Full Changelog: cthackers/adm-zip@v0.5.18...v0.6.0

This release fixes a security vulnerability (CVE-2026-39244), resolves several long-standing bugs, ships built-in TypeScript types, and includes two behavior changes worth reading before you upgrade.

  • extractEntryTo(dirEntry, target, maintainEntryPath = false) now preserves subdirectories instead of flattening files into the target folder by basename (which also silently overwrote same-named files). (#306)
  • Extraction no longer fails when the modification time can't be set — utimes is now best-effort. (#379)
  • Minimum Node.js is now 14 (the code already required it; engines was incorrectly >=12).
  • CVE-2026-39244 — a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc and OOM the process; allocation is now bounded by the data actually present. Reported by Daniel Púa (devploit), Anh Hong, and José Antonio Zamudio Amaya. (#568)
  • Hardened entry-name lookup against object injection (proto names). Prototype-less table.
  • Data-descriptor regression rejecting valid archives (#548, #533, #554)
  • Directory permissions not restored on extract (#530)
  • Infinite recursion on symlink loops in addLocalFolder (#541)
  • Uncaught process crash in writeFileToAsync on write failure (#470, #459, #402)
  • Empty name on directory entries (#466)
  • test() always returned false for archives with files
  • ~6× faster entry sorting for large archives
  • Built-in TypeScript definitions (types.d.ts) — you can drop @​types/adm-zip

v0.5.18

What's Changed

New Contributors

Full Changelog: cthackers/adm-zip@v0.5.17...v0.5.18

v0.5.17

What's Changed

New Contributors

Full Changelog: cthackers/adm-zip@v0.5.16...v0.5.17

Changelog

Sourced from adm-zip's changelog.

0.6.0 / 2026-07-10

Security

  • Fixed CVE-2026-39244: a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc (memory exhaustion / DoS) before any validation. Allocation is now bounded by the data actually present — STORED output is sized from the real bytes, DEFLATED output is grown by the inflater and capped at the declared size (#568)
  • Hardened the internal entry-name lookup table against object injection: entry names come from untrusted archives, and a name such as __proto__ previously resolved to Object.prototype, crashing addFile and hiding the entry from getEntry/readFile. The table is now prototype-less

Bug fixes

  • Fixed a regression (0.5.15) that rejected valid archives using a data descriptor (general-purpose bit 3). The payload is now validated against the authoritative central-directory CRC instead of requiring/parsing the trailing descriptor (#548, #533, #554)
  • Fixed extractAllTo/extractAllToAsync not restoring directory permissions with keepOriginalPermission; directory modes are applied after their contents are written, deepest path first, and no longer lock the extractor out of a restrictive directory (#530)
  • Fixed infinite recursion in addLocalFolder when a folder contains a symlink pointing back to an ancestor (e.g. workspace node_modules); the walk now tracks resolved real paths and skips already-visited directories (#541)
  • Fixed an uncaught exception (ERR_INVALID_ARG_TYPE) that crashed the process when writeFileToAsync could not open the target file (bad permissions, invalid filename, exhausted file descriptors); write failures are now reported through the callback and write errors are no longer silently swallowed (#470, #459, #402)
  • Fixed directory entries reporting an empty name (e.g. a/b/c/ now returns c) (#466)
  • Fixed extractEntryTo flattening subdirectories when maintainEntryPath is false; the structure below the extracted directory is now preserved instead of collapsing (and overwriting) files by basename (#306)
  • Fixed a failed utimes aborting extraction; setting the modification time is now best-effort and never fails extraction of already-written content (#379)
  • Fixed test() always returning false for any archive containing a file (it indexed the entries array with an entry object instead of reading the entry); it now correctly verifies each entry's CRC

Performance

  • Faster entry sorting when writing archives with many entries: names are decoded once instead of on every comparison (about 6× faster sort for large archives)

Added

  • Bundled TypeScript type definitions (types.d.ts), so @types/adm-zip is no longer required

Notes

  • Behavior change: extractEntryTo(dir, target, /* maintainEntryPath */ false) now preserves subdirectories beneath the extracted directory rather than flattening them
  • Behavior change: extraction no longer fails when the modification time cannot be set

0.5.4 / 2021-03-08

  • Fixed relative paths
  • Added zipcrypto encryption
  • Lower verMade for macOS when generating zip file

0.5.3 / 2021-02-07

  • Fixed filemode when unzipping

0.5.2 / 2021-01-27

  • Fixed path traversal issue (GHSL-2020-198)

0.5.1 / 2020-11-27

  • Incremented version (cthackers)
  • Fixed outFileName (cthackers)

0.5.0 / 2020-11-19

  • Added extra parameter to extractEntryTo so target filename can be renamed (cthackers)

... (truncated)

Commits
  • 2b4d840 updated minimum node engine version to >= 14
  • dc57f0f Hardened entry-name lookup, fixed test(), and sped up entry sorting
  • f81806a Made utimes best-effort so it can't abort extraction (#379)
  • ab04324 Fixed extractEntryTo flattening subdirectories (#306)
  • 8a5d9ba Fixed empty name for directory entries (#466)
  • 3e72790 Fixed uncaught crash in writeFileToAsync on write failure (#470, #459, #402)
  • 651ae4c Added typescript types
  • e72021d Fixed infinite recursion on symlink loops in addLocalFolder (#541)
  • 8f3176b Fixed directory permissions on linux
  • 4d2c8f9 Fixed error introduced with zip descriptor checks
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 1 update in the / directory: [adm-zip](https://github.com/cthackers/adm-zip).


Updates `adm-zip` from 0.5.16 to 0.6.0
- [Release notes](https://github.com/cthackers/adm-zip/releases)
- [Changelog](https://github.com/cthackers/adm-zip/blob/master/history.md)
- [Commits](cthackers/adm-zip@v0.5.16...v0.6.0)

---
updated-dependencies:
- dependency-name: adm-zip
  dependency-version: 0.6.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 18, 2026
@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 68d2e22f-d67e-43a0-a0d4-5763a8c883b7

📥 Commits

Reviewing files that changed from the base of the PR and between 303f54e and 1e0559c.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated the ZIP archive handling dependency to a newer version.

Walkthrough

The pull request updates the adm-zip dependency constraint in package.json from ^0.5.10 to ^0.6.0.

Changes

Dependency Update

Layer / File(s) Summary
Update adm-zip version
package.json
The adm-zip dependency constraint changes from ^0.5.10 to ^0.6.0.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: humble-little-bear

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the adm-zip version bump, which matches the main change in the PR.
Description check ✅ Passed The description directly describes the adm-zip upgrade and its release notes, so it is clearly on-topic.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants