Skip to content

chore(deps): bump adm-zip from 0.5.18 to 0.6.0#55

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/adm-zip-0.6.0
Open

chore(deps): bump adm-zip from 0.5.18 to 0.6.0#55
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/adm-zip-0.6.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps adm-zip from 0.5.18 to 0.6.0.

Release notes

Sourced from adm-zip's releases.

v0.6.0

Full Changelog: cthackers/adm-zip@v0.5.18...v0.6.0

This release fixes a security vulnerability (CVE-2026-39244), resolves several long-standing bugs, ships built-in TypeScript types, and includes two behavior changes worth reading before you upgrade.

  • extractEntryTo(dirEntry, target, maintainEntryPath = false) now preserves subdirectories instead of flattening files into the target folder by basename (which also silently overwrote same-named files). (#306)
  • Extraction no longer fails when the modification time can't be set — utimes is now best-effort. (#379)
  • Minimum Node.js is now 14 (the code already required it; engines was incorrectly >=12).
  • CVE-2026-39244 — a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc and OOM the process; allocation is now bounded by the data actually present. Reported by Daniel Púa (devploit), Anh Hong, and José Antonio Zamudio Amaya. (#568)
  • Hardened entry-name lookup against object injection (proto names). Prototype-less table.
  • Data-descriptor regression rejecting valid archives (#548, #533, #554)
  • Directory permissions not restored on extract (#530)
  • Infinite recursion on symlink loops in addLocalFolder (#541)
  • Uncaught process crash in writeFileToAsync on write failure (#470, #459, #402)
  • Empty name on directory entries (#466)
  • test() always returned false for archives with files
  • ~6× faster entry sorting for large archives
  • Built-in TypeScript definitions (types.d.ts) — you can drop @​types/adm-zip
Changelog

Sourced from adm-zip's changelog.

0.6.0 / 2026-07-10

Security

  • Fixed CVE-2026-39244: a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc (memory exhaustion / DoS) before any validation. Allocation is now bounded by the data actually present — STORED output is sized from the real bytes, DEFLATED output is grown by the inflater and capped at the declared size (#568)
  • Hardened the internal entry-name lookup table against object injection: entry names come from untrusted archives, and a name such as __proto__ previously resolved to Object.prototype, crashing addFile and hiding the entry from getEntry/readFile. The table is now prototype-less

Bug fixes

  • Fixed a regression (0.5.15) that rejected valid archives using a data descriptor (general-purpose bit 3). The payload is now validated against the authoritative central-directory CRC instead of requiring/parsing the trailing descriptor (#548, #533, #554)
  • Fixed extractAllTo/extractAllToAsync not restoring directory permissions with keepOriginalPermission; directory modes are applied after their contents are written, deepest path first, and no longer lock the extractor out of a restrictive directory (#530)
  • Fixed infinite recursion in addLocalFolder when a folder contains a symlink pointing back to an ancestor (e.g. workspace node_modules); the walk now tracks resolved real paths and skips already-visited directories (#541)
  • Fixed an uncaught exception (ERR_INVALID_ARG_TYPE) that crashed the process when writeFileToAsync could not open the target file (bad permissions, invalid filename, exhausted file descriptors); write failures are now reported through the callback and write errors are no longer silently swallowed (#470, #459, #402)
  • Fixed directory entries reporting an empty name (e.g. a/b/c/ now returns c) (#466)
  • Fixed extractEntryTo flattening subdirectories when maintainEntryPath is false; the structure below the extracted directory is now preserved instead of collapsing (and overwriting) files by basename (#306)
  • Fixed a failed utimes aborting extraction; setting the modification time is now best-effort and never fails extraction of already-written content (#379)
  • Fixed test() always returning false for any archive containing a file (it indexed the entries array with an entry object instead of reading the entry); it now correctly verifies each entry's CRC

Performance

  • Faster entry sorting when writing archives with many entries: names are decoded once instead of on every comparison (about 6× faster sort for large archives)

Added

  • Bundled TypeScript type definitions (types.d.ts), so @types/adm-zip is no longer required

Notes

  • Behavior change: extractEntryTo(dir, target, /* maintainEntryPath */ false) now preserves subdirectories beneath the extracted directory rather than flattening them
  • Behavior change: extraction no longer fails when the modification time cannot be set

0.5.4 / 2021-03-08

  • Fixed relative paths
  • Added zipcrypto encryption
  • Lower verMade for macOS when generating zip file

0.5.3 / 2021-02-07

  • Fixed filemode when unzipping

0.5.2 / 2021-01-27

  • Fixed path traversal issue (GHSL-2020-198)

0.5.1 / 2020-11-27

  • Incremented version (cthackers)
  • Fixed outFileName (cthackers)

0.5.0 / 2020-11-19

  • Added extra parameter to extractEntryTo so target filename can be renamed (cthackers)

... (truncated)

Commits
  • 2b4d840 updated minimum node engine version to >= 14
  • dc57f0f Hardened entry-name lookup, fixed test(), and sped up entry sorting
  • f81806a Made utimes best-effort so it can't abort extraction (#379)
  • ab04324 Fixed extractEntryTo flattening subdirectories (#306)
  • 8a5d9ba Fixed empty name for directory entries (#466)
  • 3e72790 Fixed uncaught crash in writeFileToAsync on write failure (#470, #459, #402)
  • 651ae4c Added typescript types
  • e72021d Fixed infinite recursion on symlink loops in addLocalFolder (#541)
  • 8f3176b Fixed directory permissions on linux
  • 4d2c8f9 Fixed error introduced with zip descriptor checks
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [adm-zip](https://github.com/cthackers/adm-zip) from 0.5.18 to 0.6.0.
- [Release notes](https://github.com/cthackers/adm-zip/releases)
- [Changelog](https://github.com/cthackers/adm-zip/blob/master/history.md)
- [Commits](cthackers/adm-zip@v0.5.18...v0.6.0)

---
updated-dependencies:
- dependency-name: adm-zip
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants