Extract-zip is a Node.js library designed for unzipping zip files directly into a specified directory, boasting a pure JavaScript implementation. Version 1.4.0 and 1.3.0 share a common goal: providing a reliable and dependency-light solution for zip extraction. Key similarities include their shared dependencies like "concat-stream," "debug," and "mkdirp," crucial for stream processing, debugging, and directory creation respectively. They also utilize the "yauzl" library for zip file parsing. Both versions are licensed under the permissive BSD-2-Clause license, making them suitable for a wide range of projects.
However, some notable differences exist. In version 1.4.0 the "yauzl" dependency is updated to version 2.4.1 while in version 1.3.0 it uses an older version 2.3.1. The "async" dependency present in version 1.3.0 is removed completely from version 1.4.0, suggesting a possible refactoring to eliminate the need for asynchronous control flow from the async library. Both versions are developed by max ogden and tested using the "standard" code style and "tape" testing framework, ensuring code quality and maintainability. The update of the "yauzl"dependency might have important security implications if the previous version had known vulnerabilities. Developers should strongly consider using the newest version.
All the vulnerabilities related to the version 1.4.0 of the package
Memory Exposure in concat-stream
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()
Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.
Update to version 1.5.2, 1.4.11, 1.3.2 or later.
If you are unable to update make sure user provided input into the write() function is not a number.
debug Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
