🚨 [security] Update jszip: 3.7.1 → 3.10.1 (minor)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ jszip (3.7.1 → 3.10.1) · Repo · Changelog

Security Advisories 🚨

🚨 JSZip contains Path Traversal via loadAsync

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.

Release Notes

3.10.1 (from changelog)

• Add sponsorship files.
  • If you appreciate the time spent maintaining JSZip then I would really appreciate your sponsorship.
• Consolidate metadata types and expose OnUpdateCallback #851 and #852
• use const instead var in example from README.markdown #828
• Switch manual download link to HTTPS #839

Internals:

• Replace jshint with eslint #842
• Add performance tests #834

3.10.0 (from changelog)

• Change setimmediate dependency to more efficient one. Fixes #617 (see #829)
• Update types of currentFile metadata to include null (see #826)

3.9.1 (from changelog)

• Fix recursive definition of InputFileFormat introduced in 3.9.0.

3.9.0 (from changelog)

• Update types JSZip#loadAsync to accept a promise for data, and remove arguments from new JSZip() (see #752)
• Update types for compressionOptions to JSZipFileOptions and JSZipGeneratorOptions (see #722)
• Add types for generateInternalStream (see #774)

3.8.0 (from changelog)

• Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 68 commits:

• 3.10.1
• Updates for v3.10.1
• Update changelog for 3.10.1
• Add Jekyll files to gitignore
• Merge pull request #852 from Stuk/metadata-ts
• Consolidate metadata types and expose OnUpdateCallback
• Add sponsorship files
• Update package-lock for benchmark
• Merge pull request #841 from stevennyman/patch-2
• Merge pull request #834 from Stuk/benchmark
• Add trailing newlines
• Add benchmark to PR workflow
• Align on "benchmark" instead of "perf"
• Update actions/cache to v3
• Add perf/benchmark for browser
• Refactor test runner for perf tests
• Add node perf test
• Merge pull request #839 from stevennyman/patch-1
• Merge pull request #842 from Stuk/eslint
• Fix eslint errors
• Replace jshint with eslint
• Update package-lock
• Update current version on website
• Switch manual download link to HTTPS
• Merge pull request #828 from morfey13/patch-1
• Fix typos in changelog and update publishing instructions
• 3.10.0
• Update build and changes for 3.10.0
• Merge pull request #829 from Stuk/setimmediate
• Update package-lock
• robust setimmediate polyfill
• use `const` instead `var` in example from README.markdown
• Merge pull request #826 from zaknicholsdev/main
• undo prettier
• add null type to metadata
• Update github action to run on pushes to main
• Further renaming to main and tidy up of badges
• Make default branch main
• Just run test command as part of PR
• 3.9.1
• Changes for 3.9.1
• Remove recursive InputFileFormat type
• 3.9.0
• Updates for 3.9.0
• Amend generateInternalStream typings to remove any
• Add type checking of d.ts file
• Adjust package.json order to make releasing easier
• Update documentation
• Extract CompressionOptions to interface
• Types definitions for generateInternalStream method and StreamHelper class
• Merge pull request #752 from Peeja/patch-3
• Merge pull request #722 from KyleJonesWinsted/master
• Merge pull request #813 from Stuk/santize-loaded-filenames
• 3.8.0
• Sanitize filenames with `loadAsync` to prevent zip slip attacks
• Update contributing
• Add tests for utils that remove leading slash
• Merge pull request #541 from PatricSteffen/patch-1
• Merge pull request #737 from satoshicano/update-types-JSZipLoadOptions
• Merge pull request #796 from Stuk/ghci
• Add dependency caching
• Install deps needed for Playwright on Github Actions
• Remove code and dependencies used for Saucelabs
• Test using Playwright instead of Saucelabs
• Use local qunit files in tests
• Add playwright and http-server
• Add names to steps
• Add Github Actions PR workflow

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

---

This change is 

[changelogg[bot]]

Hey! Changelogs info seems to be missing or might be in incorrect format. Please use the below template in PR description to ensure Changelogg can detect your changes:

    - (tag) changelog_text

or
```
- tag: changelog_text
```
**OR**
You can add tag in PR header or while doing a commit too
```    
(tag) PR header
```
or
```
tag: PR header
```
Valid tags: **added** / **feat**, **changed**, **deprecated**, **fixed** / **fix**, **removed**, **security**, **build**, **ci**, **chore**, **docs**, **perf**, **refactor**, **revert**, **style**, **test**
Thanks!
For more info, check out [changelogg docs](https://docs.changelogg.io/)