Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move away from unmaintained fstream #261

Closed
apupier opened this issue Sep 7, 2022 · 7 comments
Closed

Move away from unmaintained fstream #261

apupier opened this issue Sep 7, 2022 · 7 comments

Comments

@apupier
Copy link

apupier commented Sep 7, 2022

fstream is no more maintained:

There is a critical CVE in the chain of dependency to minimist:

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

maybe not affected but even in this case it gives a false positive when using npm audit which is not convenient)
@apupier
Copy link
Author

apupier commented Sep 7, 2022 

  └─┬ unzipper@0.10.11
    └─┬ fstream@1.0.12
      └─┬ mkdirp@0.5.5
        └── minimist@1.2.5

@apupier apupier mentioned this issue Sep 12, 2022
Closed
apupier added a commit to apupier/vscode-test that referenced this issue Oct 26, 2022
@apupier
Use unzip-stream instead of unzipper
7f83374 
unzipper seems unmaintained for quite some time now, last publish was 2
years ago https://www.npmjs.com/package/unzipper
https://github.com/ZJONSSON/node-unzipper
It has a dependency on an archived an unmaintained fstream
ZJONSSON/node-unzipper#261 which leads to a CVE reported by npm audit

fixes microsoft#166
@apupier apupier mentioned this issue Oct 26, 2022
Closed
@mendahu
Copy link

mendahu commented Feb 14, 2024

fstream has a new vulnerability in its dependencies, through rimraf > glob > and inflight (which is not maintained)

https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

Would love for this to be updated!

@dy-dx
Copy link

dy-dx commented Mar 8, 2024
edited
Loading

Also note that fstream can write file contents out-of-order, because of a node.js bug in v18.16+.

This is the source of these corrupted file issues:

The bug will be fixed in future releases of node.js. But for now, everyone really needs to stop using fstream.

Edit:
This issue has been fixed in the following node.js versions:

This was referenced Mar 26, 2024
Closed
Closed
@johannesrue johannesrue mentioned this issue May 21, 2024
Closed
@ties-makimura ties-makimura mentioned this issue May 28, 2024
Closed
2 tasks
@Araxeus Araxeus mentioned this issue Jun 5, 2024
Closed
1 task
@AyushAher
Copy link

@ZJONSSON Please update the fstream package issue, and create a new release. As exceljs a package which is dependent on node-unzipper shows vulnerability and thus the package cannot be used in places where vulnerabilities are considered a big risk.

@ZJONSSON
Copy link
Owner

ZJONSSON commented Jun 6, 2024

I don't believe exceljs uses any of the fstream functionality, so there is not a real vulnerability here.
However I do agree we should move away from fstream, but I am going to need some help. Which package provides the same functionality of "safely" recursively creating directories when they don't exist etc. Do you mind supplying a PR @AyushAher

AyushAher pushed a commit to AyushAher/node-unzipper that referenced this issue Jun 7, 2024
ZJONSSON#261 Moved from fstream to fs-extra package, as fstream is no…
4fab197 
… longer supported and its dependencies contains vulnerability
AyushAher pushed a commit to AyushAher/node-unzipper that referenced this issue Jun 7, 2024
ZJONSSON#261 Removed and replaced vulnerable packages
6ff23e3 
Updated Packages
@AyushAher AyushAher mentioned this issue Jun 7, 2024
Closed
@AyushAher
Copy link

@ZJONSSON Created a PR, Please check. I couldnt ensure that all test cases passes, as i dont have enough experience with unit test cases in javascript and node.

ZJONSSON added a commit that referenced this issue Jun 8, 2024
@ZJONSSON
Merge pull request #318 from ZJONSSON/ayush-refactor
343956a 
#261 move away from unmaintained fstream (Ayush refactor)
@ZJONSSON
Copy link
Owner

ZJONSSON commented Jun 8, 2024

Closed with #318
published as unzipper@0.12.1

@ZJONSSON ZJONSSON closed this as completed Jun 8, 2024
@ZJONSSON ZJONSSON mentioned this issue Jun 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mendahu @dy-dx @ZJONSSON @apupier @AyushAher