loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
Release Notes
Stuk/jszip (jszip)
### [`v3.8.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v380-2022-03-30)
[Compare Source](https://togithub.com/Stuk/jszip/compare/v3.7.1...v3.8.0)
- Santize filenames when files are loaded with `loadAsync`, to avoid ["zip slip" attacks](https://snyk.io/research/zip-slip-vulnerability). The original filename is available on each zip entry as `unsafeOriginalName`. See the [documentation](https://stuk.github.io/jszip/documentation/api_jszip/load_async.html). Many thanks to McCaulay Hudson for reporting.
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.7.1
->3.8.0
GitHub Vulnerability Alerts
CVE-2022-48285
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
Release Notes
Stuk/jszip (jszip)
### [`v3.8.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v380-2022-03-30) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.7.1...v3.8.0) - Santize filenames when files are loaded with `loadAsync`, to avoid ["zip slip" attacks](https://snyk.io/research/zip-slip-vulnerability). The original filename is available on each zip entry as `unsafeOriginalName`. See the [documentation](https://stuk.github.io/jszip/documentation/api_jszip/load_async.html). Many thanks to McCaulay Hudson for reporting.Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.