From d7d67841b8062f2e7692c364e6f022ba8dea8714 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:58:31 +0800 Subject: [PATCH] chore: bump up file-type version to v21.3.1 [SECURITY] (#14625) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [file-type](https://redirect.github.com/sindresorhus/file-type) | [`21.3.0` → `21.3.1`](https://renovatebot.com/diffs/npm/file-type/21.3.0/21.3.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/file-type/21.3.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/file-type/21.3.0/21.3.1?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2026-31808](https://redirect.github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473) ### Impact A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a `size` field of zero, the parser enters an infinite loop. The `payload` value becomes negative (-24), causing `tokenizer.ignore(payload)` to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses `file-type` to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. ### Patches Fixed in version 21.3.1. Users should upgrade to >= 21.3.1. ### Workarounds Validate or limit the size of input buffers before passing them to `file-type`, or run file type detection in a worker thread with a timeout. ### References - Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f ### Reporter crnkovic@lokvica.com --- ### Release Notes
sindresorhus/file-type (file-type) ### [`v21.3.1`](https://redirect.github.com/sindresorhus/file-type/releases/tag/v21.3.1) [Compare Source](https://redirect.github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1) - Fix infinite loop in ASF parser on malformed input [`319abf8`](https://redirect.github.com/sindresorhus/file-type/commit/319abf8) ***
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- yarn.lock | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/yarn.lock b/yarn.lock index 9c4b6399b0..4b8c906d98 100644 --- a/yarn.lock +++ b/yarn.lock @@ -23582,7 +23582,7 @@ __metadata: languageName: node linkType: hard -"file-type@npm:21.3.0, file-type@npm:^21.0.0": +"file-type@npm:21.3.0": version: 21.3.0 resolution: "file-type@npm:21.3.0" dependencies: @@ -23594,6 +23594,18 @@ __metadata: languageName: node linkType: hard +"file-type@npm:^21.0.0": + version: 21.3.1 + resolution: "file-type@npm:21.3.1" + dependencies: + "@tokenizer/inflate": "npm:^0.4.1" + strtok3: "npm:^10.3.4" + token-types: "npm:^6.1.1" + uint8array-extras: "npm:^1.4.0" + checksum: 10/0f99d4fa85184ea635cdccdfa677c7838bff790cdffde7fa9ec9f52e94fa8c0e7b6c2eeeb3f6a3d6dcc0a036192c13a8ec7008bdcef374e745ae0d64a162ad33 + languageName: node + linkType: hard + "file-uri-to-path@npm:1.0.0": version: 1.0.0 resolution: "file-uri-to-path@npm:1.0.0"