Skip to content

chore(deps-dev): bump adm-zip from 0.5.12 to 0.6.0#9422

Merged
ccastrotrejo merged 1 commit into
mainfrom
dependabot/npm_and_yarn/adm-zip-0.6.0
Jul 17, 2026
Merged

chore(deps-dev): bump adm-zip from 0.5.12 to 0.6.0#9422
ccastrotrejo merged 1 commit into
mainfrom
dependabot/npm_and_yarn/adm-zip-0.6.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps adm-zip from 0.5.12 to 0.6.0.

Release notes

Sourced from adm-zip's releases.

v0.6.0

Full Changelog: cthackers/adm-zip@v0.5.18...v0.6.0

This release fixes a security vulnerability (CVE-2026-39244), resolves several long-standing bugs, ships built-in TypeScript types, and includes two behavior changes worth reading before you upgrade.

  • extractEntryTo(dirEntry, target, maintainEntryPath = false) now preserves subdirectories instead of flattening files into the target folder by basename (which also silently overwrote same-named files). (#306)
  • Extraction no longer fails when the modification time can't be set — utimes is now best-effort. (#379)
  • Minimum Node.js is now 14 (the code already required it; engines was incorrectly >=12).
  • CVE-2026-39244 — a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc and OOM the process; allocation is now bounded by the data actually present. Reported by Daniel Púa (devploit), Anh Hong, and José Antonio Zamudio Amaya. (#568)
  • Hardened entry-name lookup against object injection (proto names). Prototype-less table.
  • Data-descriptor regression rejecting valid archives (#548, #533, #554)
  • Directory permissions not restored on extract (#530)
  • Infinite recursion on symlink loops in addLocalFolder (#541)
  • Uncaught process crash in writeFileToAsync on write failure (#470, #459, #402)
  • Empty name on directory entries (#466)
  • test() always returned false for archives with files
  • ~6× faster entry sorting for large archives
  • Built-in TypeScript definitions (types.d.ts) — you can drop @​types/adm-zip

v0.5.18

What's Changed

New Contributors

Full Changelog: cthackers/adm-zip@v0.5.17...v0.5.18

v0.5.17

What's Changed

New Contributors

Full Changelog: cthackers/adm-zip@v0.5.16...v0.5.17

v0.5.16

... (truncated)

Changelog

Sourced from adm-zip's changelog.

0.6.0 / 2026-07-10

Security

  • Fixed CVE-2026-39244: a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc (memory exhaustion / DoS) before any validation. Allocation is now bounded by the data actually present — STORED output is sized from the real bytes, DEFLATED output is grown by the inflater and capped at the declared size (#568)
  • Hardened the internal entry-name lookup table against object injection: entry names come from untrusted archives, and a name such as __proto__ previously resolved to Object.prototype, crashing addFile and hiding the entry from getEntry/readFile. The table is now prototype-less

Bug fixes

  • Fixed a regression (0.5.15) that rejected valid archives using a data descriptor (general-purpose bit 3). The payload is now validated against the authoritative central-directory CRC instead of requiring/parsing the trailing descriptor (#548, #533, #554)
  • Fixed extractAllTo/extractAllToAsync not restoring directory permissions with keepOriginalPermission; directory modes are applied after their contents are written, deepest path first, and no longer lock the extractor out of a restrictive directory (#530)
  • Fixed infinite recursion in addLocalFolder when a folder contains a symlink pointing back to an ancestor (e.g. workspace node_modules); the walk now tracks resolved real paths and skips already-visited directories (#541)
  • Fixed an uncaught exception (ERR_INVALID_ARG_TYPE) that crashed the process when writeFileToAsync could not open the target file (bad permissions, invalid filename, exhausted file descriptors); write failures are now reported through the callback and write errors are no longer silently swallowed (#470, #459, #402)
  • Fixed directory entries reporting an empty name (e.g. a/b/c/ now returns c) (#466)
  • Fixed extractEntryTo flattening subdirectories when maintainEntryPath is false; the structure below the extracted directory is now preserved instead of collapsing (and overwriting) files by basename (#306)
  • Fixed a failed utimes aborting extraction; setting the modification time is now best-effort and never fails extraction of already-written content (#379)
  • Fixed test() always returning false for any archive containing a file (it indexed the entries array with an entry object instead of reading the entry); it now correctly verifies each entry's CRC

Performance

  • Faster entry sorting when writing archives with many entries: names are decoded once instead of on every comparison (about 6× faster sort for large archives)

Added

  • Bundled TypeScript type definitions (types.d.ts), so @types/adm-zip is no longer required

Notes

  • Behavior change: extractEntryTo(dir, target, /* maintainEntryPath */ false) now preserves subdirectories beneath the extracted directory rather than flattening them
  • Behavior change: extraction no longer fails when the modification time cannot be set

0.5.4 / 2021-03-08

  • Fixed relative paths
  • Added zipcrypto encryption
  • Lower verMade for macOS when generating zip file

0.5.3 / 2021-02-07

  • Fixed filemode when unzipping

0.5.2 / 2021-01-27

  • Fixed path traversal issue (GHSL-2020-198)

0.5.1 / 2020-11-27

  • Incremented version (cthackers)
  • Fixed outFileName (cthackers)

0.5.0 / 2020-11-19

  • Added extra parameter to extractEntryTo so target filename can be renamed (cthackers)

... (truncated)

Commits
  • 2b4d840 updated minimum node engine version to >= 14
  • dc57f0f Hardened entry-name lookup, fixed test(), and sped up entry sorting
  • f81806a Made utimes best-effort so it can't abort extraction (#379)
  • ab04324 Fixed extractEntryTo flattening subdirectories (#306)
  • 8a5d9ba Fixed empty name for directory entries (#466)
  • 3e72790 Fixed uncaught crash in writeFileToAsync on write failure (#470, #459, #402)
  • 651ae4c Added typescript types
  • e72021d Fixed infinite recursion on symlink loops in addLocalFolder (#541)
  • 8f3176b Fixed directory permissions on linux
  • 4d2c8f9 Fixed error introduced with zip descriptor checks
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [adm-zip](https://github.com/cthackers/adm-zip) from 0.5.12 to 0.6.0.
- [Release notes](https://github.com/cthackers/adm-zip/releases)
- [Changelog](https://github.com/cthackers/adm-zip/blob/master/history.md)
- [Commits](cthackers/adm-zip@v0.5.12...v0.6.0)

---
updated-dependencies:
- dependency-name: adm-zip
  dependency-version: 0.6.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 17, 2026
Copilot AI review requested due to automatic review settings July 17, 2026 21:54
@dependabot dependabot Bot added javascript Pull requests that update javascript code dependencies Pull requests that update a dependency file labels Jul 17, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot could not run the full agentic suite for this review because it was automatically requested on a bot-authored pull request. Request a review from Copilot under Reviewers to retry with the full agentic suite. Improved support for bot-authored pull requests is coming soon.

Updates the adm-zip dependency version for the VS Code designer app.

Changes:

  • Bumps adm-zip from ^0.5.10 to ^0.6.0
Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps-dev): bump adm-zip from 0.5.12 to 0.6.0
  • Issue: None — this is an automated Dependabot PR (author dependabot[bot]), which is auto-passed per policy. The title also correctly uses the chore prefix and is descriptive.
  • Recommendation: No action needed.

Commit Type

  • Automated dependency bump; template checks are waived for bot-authored PRs.
  • This is a dev-dependency version bump (adm-zip 0.5.12 → 0.6.0) in apps/vs-code-designer.

Risk Level

  • Bot PR — auto-passed. For context, the advised estimate is medium (extension-distribution dependency in apps/vs-code-designer, and the bump includes a CVE-2026-39244 fix plus two behavior changes to adm-zip). No enforcement applied due to bot auto-pass.

What & Why

  • Current: Dependabot-generated body with release notes, changelog, and commit list.
  • Issue: None — waived for automated PRs.
  • Recommendation: No action needed.

Impact of Change

  • Waived for automated PRs.
  • Recommendation:
    • Users: No direct user-facing change; picks up the adm-zip security fix.
    • Developers: Dev dependency only; note the extractEntryTo/utimes behavior changes if used.
    • System: Minimum Node bumped to 14 for this package.

Test Plan

  • No test plan required — dependency lockfile/manifest bump with no product code changes.

Contributors

  • Not applicable for automated Dependabot PRs.

Screenshots/Videos

  • Not applicable — no UI changes in the diff.

Summary Table

Section Status Recommendation
Title None (bot auto-pass)
Commit Type None (bot auto-pass)
Risk Level None (advisory: medium)
What & Why None (bot auto-pass)
Impact of Change None (bot auto-pass)
Test Plan None required
Contributors N/A
Screenshots/Videos N/A

✅ This PR is auto-approved: the author is dependabot[bot], so template compliance rules are waived.


Powered by: Copilot CLI (claude-opus-4.8) | Last updated: Fri, 17 Jul 2026 21:54:51 GMT

@github-actions

Copy link
Copy Markdown
Contributor

📊 Coverage Check

No source files changed in this PR.

@ccastrotrejo
ccastrotrejo merged commit 4780f85 into main Jul 17, 2026
52 checks passed
@ccastrotrejo
ccastrotrejo deleted the dependabot/npm_and_yarn/adm-zip-0.6.0 branch July 17, 2026 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code pr-validated

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants