Skip to content

deps(engine): bump the utilities group with 2 updates#113

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/utilities-c5855218fb
Open

deps(engine): bump the utilities group with 2 updates#113
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/utilities-c5855218fb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the utilities group with 2 updates: adm-zip and marked.

Updates adm-zip from 0.5.18 to 0.6.0

Release notes

Sourced from adm-zip's releases.

v0.6.0

Full Changelog: cthackers/adm-zip@v0.5.18...v0.6.0

This release fixes a security vulnerability (CVE-2026-39244), resolves several long-standing bugs, ships built-in TypeScript types, and includes two behavior changes worth reading before you upgrade.

  • extractEntryTo(dirEntry, target, maintainEntryPath = false) now preserves subdirectories instead of flattening files into the target folder by basename (which also silently overwrote same-named files). (#306)
  • Extraction no longer fails when the modification time can't be set — utimes is now best-effort. (#379)
  • Minimum Node.js is now 14 (the code already required it; engines was incorrectly >=12).
  • CVE-2026-39244 — a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc and OOM the process; allocation is now bounded by the data actually present. Reported by Daniel Púa (devploit), Anh Hong, and José Antonio Zamudio Amaya. (#568)
  • Hardened entry-name lookup against object injection (proto names). Prototype-less table.
  • Data-descriptor regression rejecting valid archives (#548, #533, #554)
  • Directory permissions not restored on extract (#530)
  • Infinite recursion on symlink loops in addLocalFolder (#541)
  • Uncaught process crash in writeFileToAsync on write failure (#470, #459, #402)
  • Empty name on directory entries (#466)
  • test() always returned false for archives with files
  • ~6× faster entry sorting for large archives
  • Built-in TypeScript definitions (types.d.ts) — you can drop @​types/adm-zip
Changelog

Sourced from adm-zip's changelog.

0.6.0 / 2026-07-10

Security

  • Fixed CVE-2026-39244: a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc (memory exhaustion / DoS) before any validation. Allocation is now bounded by the data actually present — STORED output is sized from the real bytes, DEFLATED output is grown by the inflater and capped at the declared size (#568)
  • Hardened the internal entry-name lookup table against object injection: entry names come from untrusted archives, and a name such as __proto__ previously resolved to Object.prototype, crashing addFile and hiding the entry from getEntry/readFile. The table is now prototype-less

Bug fixes

  • Fixed a regression (0.5.15) that rejected valid archives using a data descriptor (general-purpose bit 3). The payload is now validated against the authoritative central-directory CRC instead of requiring/parsing the trailing descriptor (#548, #533, #554)
  • Fixed extractAllTo/extractAllToAsync not restoring directory permissions with keepOriginalPermission; directory modes are applied after their contents are written, deepest path first, and no longer lock the extractor out of a restrictive directory (#530)
  • Fixed infinite recursion in addLocalFolder when a folder contains a symlink pointing back to an ancestor (e.g. workspace node_modules); the walk now tracks resolved real paths and skips already-visited directories (#541)
  • Fixed an uncaught exception (ERR_INVALID_ARG_TYPE) that crashed the process when writeFileToAsync could not open the target file (bad permissions, invalid filename, exhausted file descriptors); write failures are now reported through the callback and write errors are no longer silently swallowed (#470, #459, #402)
  • Fixed directory entries reporting an empty name (e.g. a/b/c/ now returns c) (#466)
  • Fixed extractEntryTo flattening subdirectories when maintainEntryPath is false; the structure below the extracted directory is now preserved instead of collapsing (and overwriting) files by basename (#306)
  • Fixed a failed utimes aborting extraction; setting the modification time is now best-effort and never fails extraction of already-written content (#379)
  • Fixed test() always returning false for any archive containing a file (it indexed the entries array with an entry object instead of reading the entry); it now correctly verifies each entry's CRC

Performance

  • Faster entry sorting when writing archives with many entries: names are decoded once instead of on every comparison (about 6× faster sort for large archives)

Added

  • Bundled TypeScript type definitions (types.d.ts), so @types/adm-zip is no longer required

Notes

  • Behavior change: extractEntryTo(dir, target, /* maintainEntryPath */ false) now preserves subdirectories beneath the extracted directory rather than flattening them
  • Behavior change: extraction no longer fails when the modification time cannot be set

0.5.4 / 2021-03-08

  • Fixed relative paths
  • Added zipcrypto encryption
  • Lower verMade for macOS when generating zip file

0.5.3 / 2021-02-07

  • Fixed filemode when unzipping

0.5.2 / 2021-01-27

  • Fixed path traversal issue (GHSL-2020-198)

0.5.1 / 2020-11-27

  • Incremented version (cthackers)
  • Fixed outFileName (cthackers)

0.5.0 / 2020-11-19

  • Added extra parameter to extractEntryTo so target filename can be renamed (cthackers)

... (truncated)

Commits
  • 2b4d840 updated minimum node engine version to >= 14
  • dc57f0f Hardened entry-name lookup, fixed test(), and sped up entry sorting
  • f81806a Made utimes best-effort so it can't abort extraction (#379)
  • ab04324 Fixed extractEntryTo flattening subdirectories (#306)
  • 8a5d9ba Fixed empty name for directory entries (#466)
  • 3e72790 Fixed uncaught crash in writeFileToAsync on write failure (#470, #459, #402)
  • 651ae4c Added typescript types
  • e72021d Fixed infinite recursion on symlink loops in addLocalFolder (#541)
  • 8f3176b Fixed directory permissions on linux
  • 4d2c8f9 Fixed error introduced with zip descriptor checks
  • Additional commits viewable in compare view

Updates marked from 18.0.5 to 18.0.6

Release notes

Sourced from marked's releases.

v18.0.6

18.0.6 (2026-07-09)

Bug Fixes

  • Avoid O(n^2) backtracking in inline link href regex (#4013) (a009808)
  • Fix ordered lists after blockquotes (#4003) (33928d0)
  • keep trailing text on HTML block close line for PI, declarations, and CDATA (#3991) (bbb84c8)
Commits
  • 39bd884 chore(release): 18.0.6 [skip ci]
  • 6bce57d chore(deps-dev): bump @​semantic-release/github from 12.0.8 to 12.0.9 (#4009)
  • 63a4bba chore(deps-dev): bump markdown-it from 14.2.0 to 14.3.0 (#4010)
  • a009808 fix: Avoid O(n^2) backtracking in inline link href regex (#4013)
  • 33928d0 fix: Fix ordered lists after blockquotes (#4003)
  • bbb84c8 fix: keep trailing text on HTML block close line for PI, declarations, and CD...
  • d2af54e chore(deps-dev): bump eslint from 10.5.0 to 10.6.0 (#4005)
  • f403898 chore(deps-dev): bump @​arethetypeswrong/cli from 0.18.3 to 0.18.4 (#4006)
  • f8f4112 chore(deps): bump actions/checkout from 6 to 7 (#4000)
  • 5ddfd8a chore: Update repository metadata URLs (#3998)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the utilities group with 2 updates: [adm-zip](https://github.com/cthackers/adm-zip) and [marked](https://github.com/markedjs/marked).


Updates `adm-zip` from 0.5.18 to 0.6.0
- [Release notes](https://github.com/cthackers/adm-zip/releases)
- [Changelog](https://github.com/cthackers/adm-zip/blob/master/history.md)
- [Commits](cthackers/adm-zip@v0.5.18...v0.6.0)

Updates `marked` from 18.0.5 to 18.0.6
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](markedjs/marked@v18.0.5...v18.0.6)

---
updated-dependencies:
- dependency-name: adm-zip
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: utilities
- dependency-name: marked
  dependency-version: 18.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: utilities
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, engine. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedmarked@​18.0.5 ⏵ 18.0.61001001009380
Updatedadm-zip@​0.5.18 ⏵ 0.6.010010098 +186100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants