[Snyk] Upgrade adm-zip from 0.4.7 to 0.5.12

[DefenderK]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade adm-zip from 0.4.7 to 0.5.12.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 20 versions ahead of your current version.
• The recommended version was released a month ago, on 2024-03-14.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Directory Traversal SNYK-JS-ADMZIP-1065796	195/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1156, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 8.63, Likelihood: 2.26, Score Version: V5	No Known Exploit
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	195/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 1156, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 8.63, Likelihood: 2.26, Score Version: V5	Mature

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: adm-zip

• 0.5.12 - 2024-03-14
  

  Fixed extraction error

• 0.5.11 - 2024-03-13
  

  Add support for Info-Zip password check spec for ZipCrypto @ lukemalcolm
  Extraction of password protected zip entries @ Santa77
  Fixed unnecessary scanning a local file headers (except in the case of corrupted archives) @ likev

• 0.5.10 - 2022-12-20
  

  Add Unix mode attribute even when archive is created from Windows
  Fixed an issue where addLocalFolderAsync causes stack overflow when a lot of files are filtered
  Support to unzip symlinks
  Fix parameter initialization bug of extractAllToAsync
  Allow for custom stat or permissions value in addLocalFolder
  Various small fixes and tests

• 0.5.9 - 2021-10-07
• 0.5.8 - 2021-10-07
• 0.5.7 - 2021-10-01
• 0.5.6 - 2021-09-12
  No content.
• 0.5.5 - 2021-03-31
  

  v0.5.5

• 0.5.4 - 2021-03-08
  

  v0.5.4

• 0.5.3 - 2021-02-18
  

  npm v0.5.3

• 0.5.2 - 2021-01-27
  

  v0.5.1

• 0.5.1 - 2020-11-27
  

  npm v0.5.1

• 0.5.0 - 2020-11-19
  

  npm v0.5.0

• 0.4.16 - 2020-06-23
• 0.4.14 - 2020-02-06
• 0.4.13 - 2018-11-13
• 0.4.11 - 2018-05-12
• 0.4.10 - 2018-05-12
• 0.4.9 - 2018-04-25
• 0.4.8 - 2018-04-23
• 0.4.7 - 2015-02-09

from adm-zip GitHub release notes

Commit messages

Package name: adm-zip

• bd83f19 Fixed extraction bug
• 4a684a2 Updated package version
• 71a1035 Merge pull request feat: update badge url snyk-labs/nodejs-goof#437 from Autokaka/master
• a366095 Merge pull request [Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#449 from yfdyh000/pr-fixExtra
• d95c063 Merge pull request [Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#451 from likev/patch-1
• a8f7168 Merge pull request build(docker): use a vulnerable docker image snyk-labs/nodejs-goof#457 from Santa77/master
• 54c3817 Merge pull request [Snyk-dev] Fix for 3 vulnerable dependencies snyk-labs/nodejs-goof#472 from 10bitFX/info-zip-password
• 1bfa3bb Additional test for Info-Zip generated ZipCrypto encrypted file. Relates to Issue 471.
• e1cddb3 Add support for Info-Zip password check spec for ZipCrypto. (Uses high byte of header modified time, rather than crc). Updates current tests to handle.
• 10242c3 Merge pull request [Snyk-dev] Fix for 3 vulnerable dependencies snyk-labs/nodejs-goof#469 from kibertoad/chore/ga
• 1ca6ab8 Add GitHub Actions
• 7b6ed9d Extraction of password protected zip entries
• ecfe95b Merge pull request [Snyk] Security upgrade jquery from 2.2.4 to 3.5.0 #1 from likev/patch-2
• a137863 Scanning a local file headers is not necessary
• ee5f98a Update entryHeader.js
• 8533d67 fix extra data lost when write zip
• 220a3d6 fix: throw empty error in extractAllToAsync on operation done
• 9e52c3f Bump up package version
• 22f1f76 Merge pull request [Snyk] Fix for 2 vulnerable dependencies snyk-labs/nodejs-goof#435 from cthackers/dependabot/npm_and_yarn/minimatch-3.1.2
• 690e4a2 Bump minimatch from 3.0.4 to 3.1.2
• 5f60b43 Merge pull request [Snyk] Fix for 2 vulnerable dependencies snyk-labs/nodejs-goof#434 from cthackers/dependabot/npm_and_yarn/nanoid-and-mocha-3.3.3
• c535b0b Bump nanoid and mocha
• 05c25b1 Merge pull request [Snyk] Fix for 2 vulnerable dependencies snyk-labs/nodejs-goof#432 from cthackers/dependabot/npm_and_yarn/ansi-regex-3.0.1
• c6023e7 Merge pull request [Snyk] Fix for 1 vulnerable dependencies snyk-labs/nodejs-goof#400 from xfournet/fix-unix-mode

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs