Upgrade jszip to 3.x to resolve CVE-2021-23413 #656
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Appmetrics currently uses
jszip@2.x
which has a prototype pollution vulnerability:This PR upgrades the
jszip
dependency to^3.7.0
and consequently tweaks theheadless_zip.js
functions to be more async friendly aszip.generate()
has been replaced byzip.generateAsync()
.This fixes #655.
Additionally I had to fix a unit test failure that occurs when running on macOS 11 (caused by
os.name
now returningmacOS
rather thanMac OS X
) to ensure my changes still passed the unit tests.