fix(deps): update dependency file-type to v21 [security]#79

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/npm-file-type-vulnerability

Contributor

renovate bot commented Mar 11, 2026

This PR contains the following updates:

Package	Change	Age	Confidence
file-type	`^16.5.4` → `^21.0.0`

GitHub Vulnerability Alerts

CVE-2026-31808

Impact

A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever.

Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.

Patches

Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

Workarounds

Validate or limit the size of input buffers before passing them to file-type, or run file type detection in a worker thread with a timeout.

References

Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f

Reporter

crnkovic@lokvica.com

Release Notes

sindresorhus/file-type (file-type)

`v21.3.1`

Fix infinite loop in ASF parser on malformed input 319abf8

`v21.3.0`

Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#779) d223491

`v21.2.0`

Add support for SPSS data files (#787) 889f638
Add support for JMP (#784) 093dba0

`v21.1.1`

Fix handling of partial Gunzip file (#783) 710e053

`v21.1.0`

Add support for .tar.gz (gunzipped tarball file) (#763) eda03a7
Add support for Windows registry (.reg) files 0db61ec 7d2ddcf
Add support for Windows registry hive file (.dat) (#767) f8d62be
Fix: Handle partial unzip (#773) 7ad3a90

`v21.0.0`

Breaking

Require Node.js 20 24aec1f
Drop Adobe Illustrator (.ai) detection support (#743) af169f3
Correct Matroska (video) MIME-type to formal IANA registration (#753) f53f5ff
Correct FLAC MIME-type to formal IANA registration (#755) b9fda36
Correct Apache Parquet MIME-type to formal IANA registration (#748) 98e3f8e
Correct Apache Arrow MIME-type to formal IANA registration (#754) 7184775

Improvements

Allow options to be directly passed to exported functions (#752) d264029
Add mpegOffsetTolerance option (#646) c40840a

Fixes

Fix detection of some PAX TAR formats (#762) 574d0d6

`v20.5.0`

Add support Office PowerPoint 2007 (macro-enabled) slide show (#747) f1b4c7a

`v20.4.1`

Add workaround for using bundler as the module-resolution in TypeScript (#744) 90bfe33

`v20.4.0`

Add support for OpenType Font Collection (TTC) (#737) 3e576a6

`v20.3.0`

Add node subpath export (#741) 8d39f66
Allow require to load file-type as ES Module (#736) 8d39f66

`v20.2.0`

Add support for RealMedia (#740) d05d49d

`v20.1.0`

Improve WebP detection (#733) ef486f1

`v20.0.1`

Fix detecting small PDF file (#728) f34e9f7

`v20.0.0`

Breaking

Drop MIME-type and extension enumeration in types (#693) 0ff11c6
Remove NodeFileTypeParser in favor of using FileTypeParser on all platforms (#707) ff8eed8

Improvements

Give API access to FileTypeParser#detectors (#704) 7e72bbc
Improve Nikon RAW NEF (Tiff) format detection (#670) cf6fc1e
Add support for Java archive (.jar) (#719) 8651809
Add support for MSOffice macro-enabled docs and templates (#720) 7fe5667
Add support for OpenDocument graphics and templates (#718) 4db407d
Add support for Microsoft Excel template with macros (.xltm) (#714) 1fe621a
Add support for Microsoft Word template (.dotx) (#713) 643ef78
Add support for Microsoft Excel template (.xltx) (#712) 0dab3e0
Add support for Microsoft PowerPoint template ( .potx) (#710) f978619
Add support for ZIP decompression using @tokenizer/inflate (#695) 399b0f1
Add support for .lz4 file format (#706) 74acf94
Add support for format .drc, Google's Draco 3D Data Compression (#702) e99257d

Fixes

Fix code sequence "File Type Box" detection (#705) 7d4dd8d

`v19.6.0`

Add ability to abort async operations (#667) 5ce98f3
Add support for APK (#679) 7b10012
Fix Opus MIME-type (#682) 4dcb8c5
Fix: Ensure web-stream is released after detection (#680) 9945877

`v19.5.0`

Add support for WebVTT (#658) 21ed763

`v19.4.1`

Fix passing options to fileTypeStream in default entry point (#653) ea314a4

`v19.4.0`

Add support for web streams for fileTypeStream() (#649) 2000141
Fix options in combination with fileTypeStream() (#650) bd3b5a4

`v19.3.0`

Add support for Microsoft Visio files (#647) 2744be7

`v19.2.0`

Add NodeFileTypeParser#fromFile() (#644) 9d2ee02
Update dependencies (#645) 6440b3d

`v19.1.1`

Fix Node.js entry point export fileTypeFromTokenizer (#639) 20fdba7

`v19.1.0`

Replace Buffer usage with Uint8Array (#633) 00e051b
Add support for reading from a web stream (#635) b815b5e

Release notes

Please note that fileTypeFromBlob(blob) is streaming the Blob instead of buffering, which require at least Node.js ≥ 20.

`v19.0.0`

Breaking

Require Node.js 18 7f4b30b
Use mime type audio/wav instead of audio/vnd.wave for .wav files (#620) c7c923c

`v18.7.0`

Add support for FBX (Filmbox) (#605) 4b7eb75
Support adding custom detectors (#603) f5b232c

`v18.6.0`

Add support for Mach-O (#615) ec4980b

`v18.5.0`

Add support for ICC (#601) 0ccebb1

`v18.4.0`

Add support for Avro (#597) 34ab7d4

`v18.3.0`

Support reading from Blob in Node.js (#588) 1c75cfb
Add support for J2C (#596) 51bd34c
Add support for ACE (#592) 1899fc1
Add support for cpio (#590) f84e96c
Add support for ARJ (#589) 935470e
Add support for Java class (#591) a40f828

`v18.2.1`

Fix handling of tiny PDFs (#580) edf59f8

`v18.2.0`

Add support for Apache Parquet (#576) 1ec164b

`v18.1.0`

Improvements

Add support for AutoDesk DWG format (#572) 47aa221
Add support for Personal Storage Table (PST) file (.pst) (#573) ec3ba33
Add support for JPEG-LS (.jls) (#568) 976ed4b

Fixes

Fix parsing big-endian encoded TIFF file (#571) e8bc341

`v18.0.0`

Breaking

Require Node.js 14 6d457c5

`v17.1.6`

Fix an import path (#553) e843d73

`v17.1.5`

Fix PDF detection in some cases a0c24eb

`v17.1.4`

Fix a problem with a dependency (#549) 20a90ab

`v17.1.3`

Fix: Malformed MKV could cause an infinite loop 2c4d120
- CVE-2022-36313
- Also backported to 16.5.4

`v17.1.2`

Improve decoding of mime-type in ZIP file (#546) 1b10a71

`v17.1.1`

Update dependencies (#519) 1a553e7

`v17.1.0`

Add support for ELF (Unix Executable and Linkable Format) (#514) c4983ea
Add avif-sequence file for animation (#512) 752afb3

`v17.0.2`

Prevent "Concurrent read operation" error to be thrown in some cases while reading from a stream (#510) 565f7f3

`v17.0.1`

Update strtok3 & token-types dependencies for explicit node:buffer imports (#507) b27fb5f

`v17.0.0`

Breaking

Require Node.js 12.20 (#472) 826b4ad
This package is now pure ESM. Please read this.
Remove the /browser sub-export 287e361
- Browser support is now included by default.
Moved from a default export to named exports:
require('file-type').fromBuffer → import {fileTypeFromBuffer} from 'file-type'
require('file-type').fromFile → import {fileTypeFromFile} from 'file-type'
require('file-type').fromStream → import {fileTypeFromStream} from 'file-type'
require('file-type').fromTokenizer → import {fileTypeFromTokenizer} from 'file-type'
require('file-type').stream → import {fileTypeStream} from 'file-type'
require('file-type').extensions → import {supportedExtensions} from 'file-type'
require('file-type').mimeTypes → import {supportedMimeTypes} from 'file-type'

Improvements

Improve WebM detection (#486) b23be62
Improve parsing TIFF files (#482) 82c9ccb
Detect both raw and BDAV versions of MPEG-2 Transport Streams (#497) 4ce6838
Detect XML UTF-16-BE & UTF-16-LE via pattern matching (#490) a2cf2b3
Support XML encoding with UTF-8 including BOM field (#491) 8bca6b4

Fixes

Prevent End-Of-Stream error in stream() (#468) 67c8fcb

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update dependency file-type to v21 [security]

3b79f8a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet