Update JSZip to address vulnerability

twolfson / grunt-zip

Zip and unzip files via a grunt plugin

MIT License

87 stars 19 forks source link

Update JSZip to address vulnerability #58

Closed jspangler closed 11 months ago

jspangler commented 11 months ago

JSZip 3 went from synchronous logic to async. I updated the zip and unzip tasks to work with the new async approach.

twolfson commented 11 months ago

I dug into the jszip code and added a reject(new Error('test')); inside StreamHelper#accumulate. It all behaved as we'd hope so we're good =) (i.e. raised error synchronously from await + Grunt caught that)

twolfson commented 11 months ago

Taking additional step of adjusting Node.js version to >= 8 due to async/await requirement (2018, https://v8.dev/blog/fast-async). Kind of ridiculous we've been on >= 0.10.0 previous to that (2013) -- or maybe that's just what I had as boilerplate.

twolfson commented 11 months ago

This has been released in grunt-zip@1.0.0 (major release due to Node.js version change)

Thanks so much for your efforts here!!

jspangler commented 11 months ago

I appreciate you looking into this so quickly, thanks for the merge!