Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Remove dependency on obsolete archive-type #186

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix: Remove dependency on obsolete archive-type #186

wants to merge 1 commit into from

Conversation

pgrzesik
Copy link
Contributor

Closes: #185

@pgrzesik pgrzesik self-assigned this Jul 26, 2022
@codecov
Copy link

codecov bot commented Jul 26, 2022

Codecov Report

Merging #186 (9ca5bcd) into main (6b871e5) will increase coverage by 0.04%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #186      +/-   ##
==========================================
+ Coverage   89.32%   89.37%   +0.04%     
==========================================
  Files          27       27              
  Lines         731      734       +3     
==========================================
+ Hits          653      656       +3     
  Misses         78       78
Impacted Files Coverage Δ
download.js 84.74% <100.00%> (+0.81%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6b871e5...9ca5bcd. Read the comment docs.

@pgrzesik pgrzesik requested a review from medikoo July 26, 2022 12:49
alfaproject
alfaproject reviewed Jul 26, 2022
View reviewed changes
download.js
@@ -18,7 +18,6 @@ const fsp = require('fs').promises;
const path = require('path');
const { URL } = require('url');
const contentDisposition = require('content-disposition');
const archiveType = require('archive-type');
const decompress = require('decompress');
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also suffers from the same issue. See the log from my report

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just noticed that, replacing this is going to be a bit bigger problem, thanks for pointing that out

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup fair enough. I think you can do another PR for that one when you find an alternative or fork

@pgrzesik pgrzesik marked this pull request as draft July 26, 2022 12:55
@Hunter343
Copy link

Has there been any progress on this issue?

@medikoo
Copy link
Contributor

medikoo commented May 9, 2023
edited

@pgrzesik sorry, I know it's been a while, but do you remember why it was marked as draft and not pushed forward after all?

@mhassan1
Copy link

The problem is that both archive-type and decompress need to be replaced in order to resolve the file-type vulnerability. Currently, this PR only addresses archive-type, and replacing decompress is probably much harder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alfaproject alfaproject alfaproject left review comments

@medikoo medikoo Awaiting requested review from medikoo

At least 1 approving review is required to merge this pull request.

Assignees

@pgrzesik pgrzesik

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security vulnerability from file-type inner dependency
5 participants
@pgrzesik @Hunter343 @medikoo @mhassan1 @alfaproject