Vulnerable to Infinite Loop via malformed MKV file through `file-type` package

[qooban]

The following report is provided by NPM audit when using the latest version of decompress package (v4.2.1):

file-type  <16.5.4
Severity: moderate
file-type vulnerable to Infinite Loop via malformed MKV file - https://github.com/advisories/GHSA-mhxj-85r3-2x55

node_modules/decompress-tar/node_modules/file-type
node_modules/decompress-tarbz2/node_modules/file-type
node_modules/decompress-targz/node_modules/file-type
node_modules/decompress-unzip/node_modules/file-type
  decompress-tar  >=4.0.0

  Depends on vulnerable versions of file-type
  node_modules/decompress-tar
  decompress-tarbz2  >=4.0.0

  Depends on vulnerable versions of file-type
  node_modules/decompress-tarbz2
    decompress  >=4.0.0
    Depends on vulnerable versions of decompress-tarbz2
    node_modules/decompress

  decompress-targz  >=4.0.0
  Depends on vulnerable versions of file-type
  node_modules/decompress-targz
  
  decompress-unzip  >=4.0.1
  Depends on vulnerable versions of file-type
  node_modules/decompress-unzip

More description about the problem is provided here: https://github.com/advisories/GHSA-mhxj-85r3-2x55

The fix was implemented in file-type v16.5.4, so probably file-type should just be bumped in sub-packages: decompress-tar, decompress-tarbz2, decompress-targz, decompress-unzip.

[alfaproject]

@sindresorhus any chance you could give some security love to this package? <3

[UdayKumarNettem]

@sindresorhus @kevva : When can we expect the file-type vulnerability fix?

https://github.com/advisories/GHSA-mhxj-85r3-2x55.

https://nvd.nist.gov/vuln/detail/CVE-2022-36313

[email protected] └─┬ [email protected] └─┬ [email protected] └── [email protected]

[UdayKumarNettem]

@qooban @alfaproject : How do you resolve this issue?

[qooban]

@UdayKumarNettem I don't have a solution for that. I provided my findings in the issue description.