chore(deps): bump file-type from 16.5.4 to 21.3.2 in /packages/files#7697
chore(deps): bump file-type from 16.5.4 to 21.3.2 in /packages/files#7697dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
javascript
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3075e22f70
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "@open-condo/miniapp-utils": "workspace:^", | ||
| "express": "^4.21.2", | ||
| "file-type": "16.5.4", | ||
| "file-type": "21.3.2", |
There was a problem hiding this comment.
When this package is actually installed at v21, packages/files/detectMimeType.js still does const { fromFile } = require('file-type') and then calls fromFile(filepath), but file-type v21 exposes fileTypeFromFile instead of fromFile and documents the package as ESM. In the upload middleware path (packages/files/utils.js), this makes magic-number MIME detection fail for every uploaded file and fall back to the client/formidable MIME value, so spoofed or missing content types are no longer corrected.
Useful? React with 👍 / 👎.
| "@open-condo/miniapp-utils": "workspace:^", | ||
| "express": "^4.21.2", | ||
| "file-type": "16.5.4", | ||
| "file-type": "21.3.2", |
There was a problem hiding this comment.
This changes the workspace manifest to require file-type 21.3.2, but the repo lockfile still only contains the @open-condo/files dependency on file-type: 16.5.4 and the file-type@npm:16.5.4 resolution. In environments that install with the checked-in lockfile/immutable installs, the dependency graph either stays pinned to the vulnerable old version or fails because the manifest and lockfile are out of sync.
Useful? React with 👍 / 👎.
Bumps [file-type](https://github.com/sindresorhus/file-type) from 16.5.4 to 21.3.2. - [Release notes](https://github.com/sindresorhus/file-type/releases) - [Commits](sindresorhus/file-type@v16.5.4...v21.3.2) --- updated-dependencies: - dependency-name: file-type dependency-version: 21.3.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/packages/files/file-type-21.3.2
branch
from
3075e22 to
d45ed4d
Compare
|
Bumps file-type from 16.5.4 to 21.3.2.
Release notes
Sourced from file-type's releases.
... (truncated)
Commits
e18028c21.3.2a155cd7Fix ZIP bomb in known-size ZIP probing6954817Harden parser more370ed91Fix bound recursive BOM and ID3 detectiond2ecea1Add a few more safeguards41fcff5Update readmea8f6934Fix CIad5857e21.3.15d2fedfHarden parser319abf8Fix infinite loop in ASF parser on malformed input