Bump the npm_and_yarn group across 3 directories with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /icons directory: grunt.
Bumps the npm_and_yarn group with 6 updates in the /shell directory:

Package	From	To
bignum	0.12.5	0.13.1
mailparser	0.6.2	3.9.3
node-forge	0.6.49	1.4.0
nodemailer	2.7.2	8.0.4
xml-crypto	0.0.20	2.1.6
xml2js	0.2.8	0.5.0

Bumps the npm_and_yarn group with 2 updates in the /tests directory: mailparser and jszip.

Updates grunt from 0.4.5 to 1.5.3

Release notes

Sourced from grunt's releases.

v1.5.3

• Merge pull request #1745 from gruntjs/fix-copy-op 572d79b
• Patch up race condition in symlink copying. 58016ff
• Merge pull request #1746 from JamieSlome/patch-1 0749e1d
• Create SECURITY.md 69b7c50

gruntjs/grunt@v1.5.2...v1.5.3

v1.5.2

• Update Changelog 7f15fd5
• Merge pull request #1743 from gruntjs/cleanup-link b0ec6e1
• Clean up link handling 433f91b

gruntjs/grunt@v1.5.1...v1.5.2

v1.5.1

• Merge pull request #1742 from gruntjs/update-symlink-test ad22608
• Fix symlink test 0652305

gruntjs/grunt@v1.5.0...v1.5.1

v1.5.0

• Updated changelog b2b2c2b
• Merge pull request #1740 from gruntjs/update-deps-22-10 3eda6ae
• Update testing matrix 47d32de
• More updates 2e9161c
• Remove console log 04b960e
• Update dependencies, tests... aad3d45
• Merge pull request #1736 from justlep/main fdc7056
• support .cjs extension e35fe54

gruntjs/grunt@v1.4.1...v1.5.0

v1.4.1

• Update Changelog e7625e5
• Merge pull request #1731 from gruntjs/update-options 5d67e34
• Fix ci install d13bf88
• Switch to Actions 08896ae
• Update grunt-known-options eee0673
• Add note about a breaking change 1b6e288

gruntjs/grunt@v1.4.0...v1.4.1

v1.4.0

• Merge pull request #1728 from gruntjs/update-deps-changelog 63b2e89
• Update changelog and util dep 106ed17
• Merge pull request #1727 from gruntjs/update-deps-apr 49de70b
• Update CLI and nodeunit 47cf8b6
• Merge pull request #1722 from gruntjs/update-through e86db1c
• Update deps 4952368

... (truncated)

Changelog

Sourced from grunt's changelog.

v1.5.3 date: 2022-04-23 changes: - Patch up race condition in symlink copying. v1.5.2 date: 2022-04-12 changes: - Unlink symlinks when copy destination is a symlink. v1.5.1 date: 2022-04-11 changes: - Fixed symlink destination handling. v1.5.0 date: 2022-04-10 changes: - Updated dependencies. - Add symlink handling for copying files. v1.4.1 date: 2021-05-24 changes: - Fix --preload option to be a known option - Switch to GitHub Actions v1.4.0 date: 2021-04-21 changes: - Security fixes in production and dev dependencies - Liftup/Liftoff upgrade breaking change. Update your scripts to use --preload instead of --require. Ref: gulpjs/liftoff@e7a969d. v1.3.0 date: 2020-08-18 changes: - Switch to use safeLoad for loading YML files via file.readYAML. - Upgrade legacy-log to ~3.0.0. - Upgrade legacy-util to ~2.0.0. v1.2.1 date: 2020-07-07 changes: - Remove path-is-absolute dependency. (PR: gruntjs/grunt#1715) v1.2.0 date: 2020-07-03 changes: - Allow usage of grunt plugins that are located in any location that is visible to Node.js and NPM, instead of node_modules directly inside package that have a dev dependency to these plugins. (PR: gruntjs/grunt#1677) - Removed coffeescript from dependencies. To ease transition, if coffeescript is still around, Grunt will attempt to load it. If it is not, and the user loads a CoffeeScript file, Grunt will print a useful error indicating that the coffeescript package should be installed as a dev dependency.

... (truncated)

Commits

• 82d79b8 1.5.3
• 572d79b Merge pull request #1745 from gruntjs/fix-copy-op
• 58016ff Patch up race condition in symlink copying.
• 0749e1d Merge pull request #1746 from JamieSlome/patch-1
• 69b7c50 Create SECURITY.md
• ac667b2 1.5.2
• 7f15fd5 Update Changelog
• b0ec6e1 Merge pull request #1743 from gruntjs/cleanup-link
• 433f91b Clean up link handling
• d5969ec 1.5.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by vladikoff, a new releaser for grunt since your current version.

Updates bignum from 0.12.5 to 0.13.1

Commits

• ef2e025 0.13.1
• 0c871e1 ci: replace travis with actions
• 72951c5 dist: remove prebuild (for now)
• 27508d2 deps: update deps and fix formatting for standard@14
• a431989 src: update for Node 13 compat
• 735da93 src: fixes for node 12
• ce26c0c Update README.markdown (#122)
• efde423 0.13.0
• cc354b7 update deps, switch to prebuild, make work for node 10
• 1951f56 fix: let it support Node.js 10
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by rvagg, a new releaser for bignum since your current version.

Install script changes

This version adds install script that runs during installation. Review the package contents before updating.

Updates mailparser from 0.6.2 to 3.9.3

Release notes

Sourced from mailparser's releases.

mailparser: v3.8.1

3.8.1 (2025-11-05)

Bug Fixes

• trigger new build (7f2eb78)

mailparser: v3.8.0

3.8.0 (2025-11-04)

Bug Fixes

• deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)

Changelog

Sourced from mailparser's changelog.

3.9.3 (2026-01-28)

Bug Fixes

• escape URLs and link text in textToHtml to prevent XSS (921a67d), closes #412

3.9.2 (2026-01-28)

Bug Fixes

• Bumpe deps (508bcf7)

3.9.1 (2025-12-11)

Bug Fixes

• update dependencies (6879d1b)

3.9.0 (2025-11-05)

Features

• events: Emit a new headerLines event to gain access the raw headers (#364) (d33d7ec)

Bug Fixes

• ⬆️ update nodemailer dependency to resolve security issue GHSA-9h6g-pr28-7cqp (#357) (8bc4225)
• 150 (919f69a)
• 272: Throw TypeError for invalid input. (abd7e43)
• 34, bump version (09aa0bd)
• bumped deps (9a13f4e)
• Bumped deps (bb9c014)
• Bumped deps (9e084f9)
• Bumped mailsplit to fix flowed parser (da753e4)
• capture decoder end event to use on cleanup (4e367f7)
• deploy: added auto-deployment (d6eb56f)
• deps: Bumped deps (db842ad)
• deps: Bumped deps to fix issue with missing whitespace (92884d0)
• deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)
• deps: Replaced 'punycode' with 'punycode.js' module (4a15157)
• error on ks_c_5601-1987 (89572e0)
• Fix produced text address list string according to rfc 2822 (#340) (6bae600)
• handle simpleParser input stream error (faf9fc5)
• punycode: Fixes #355 Deprecation warning of the punycode module (#356) (0f35330)
• simple-parser: Buffer.from(string) default encode is utf-8,when input string‘s encode is gbk,result has some garbled (633e436)

... (truncated)

Commits

• 05db224 chore(master): release 3.9.3 [skip-ci]
• 921a67d fix: escape URLs and link text in textToHtml to prevent XSS
• bb325f1 chore(master): release 3.9.2 [skip-ci]
• 508bcf7 fix: Bumpe deps
• 0e71fed docs: add maintenance mode notice to README
• 2205e48 chore(master): release 3.9.1 [skip-ci]
• 6879d1b fix: update dependencies
• 3e1e029 chore(master): release 3.9.0 [skip-ci]
• b831000 Merge branch 'master' of github.com:nodemailer/mailparser
• 3cf6241 fix: trigger new build
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for mailparser since your current version.

Updates node-forge from 0.6.49 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

• HIGH: Denial of Service in BigInteger.modInverse()
  • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
  • Reported by Kr0emer.
  • CVE ID: CVE-2026-33891
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
  • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
  • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33894
  • GHSA ID: GHSA-ppp5-5v6c-4jwp
• HIGH: Signature forgery in Ed25519 due to missing S < L check.
  • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33895
  • GHSA ID: GHSA-q67f-28xg-22rw
• HIGH: basicConstraints bypass in certificate chain verification.
  • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
  • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
  • CVE ID: CVE-2026-33896
  • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

• fa385f9 Release 1.4.0.
• 07d4e16 Update changelog.
• cb90fd9 Update changelog.
• 963e7c5 Add unit test for "pseudonym"
• f0b6f5b Add pseudonym OID
• 3df48a3 Fix missing CVE ID.
• 2e49283 Add x509 basicConstraints check.
• bdecf11 Add canonical signature scaler check for S < L.
• af094e6 Add RSA padding and DigestInfo length checks.
• 796eeb1 Improve jsbn fix.
• Additional commits viewable in compare view

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Updates nodemailer from 2.7.2 to 8.0.4

Release notes

Sourced from nodemailer's releases.

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

v8.0.3

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

v8.0.2

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

v8.0.1

8.0.1 (2026-02-07)

Bug Fixes

• absorb TLS errors during socket teardown (7f8dde4)
• absorb TLS errors during socket teardown (381f628)
• Add Gmail Workspace service configuration (#1787) (dc97ede)

v8.0.0

8.0.0 (2026-02-04)

⚠ BREAKING CHANGES

• Error code 'NoAuth' renamed to 'ENOAUTH'

Bug Fixes

• add connection fallback to alternative DNS addresses (e726d6f)
• centralize and standardize error codes (45062ce)
• harden DNS fallback against race conditions and cleanup issues (4fa3c63)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

8.0.1 (2026-02-07)

Bug Fixes

• absorb TLS errors during socket teardown (7f8dde4)
• absorb TLS errors during socket teardown (381f628)
• Add Gmail Workspace service configuration (#1787) (dc97ede)

8.0.0 (2026-02-04)

⚠ BREAKING CHANGES

• Error code 'NoAuth' renamed to 'ENOAUTH'

Bug Fixes

• add connection fallback to alternative DNS addresses (e726d6f)
• centralize and standardize error codes (45062ce)
• harden DNS fallback against race conditions and cleanup issues (4fa3c63)
• improve socket cleanup to prevent potential memory leaks (6069fdc)

7.0.13 (2026-01-27)

... (truncated)

Commits

• 2d31975 chore(master): release 8.0.4 (#1806)
• 2d7b971 fix: sanitize envelope size to prevent SMTP command injection
• 4e702e9 chore(master): release 8.0.3 (#1804)
• c803d90 fix: remove familySupportCache that broke DNS resolution tests
• e8c8b92 fix: fix cookie bugs, remove dead code, and improve hot-path efficiency
• 0e78ee1 chore: update dependencies
• af73b4c chore: upgrade GitHub Actions to latest versions
• 604b570 chore: simplify remaining lib modules for clarity and consistency
• 4ced83d chore: simplify shared, errors, mailer, mime-node, and mime-funcs modules
• 0cba16e chore: simplify smtp-pool with const, Object.assign, and cleaner control flow
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nodemailer since your current version.

Updates xml-crypto from 0.0.20 to 2.1.6

Release notes

Sourced from xml-crypto's releases.

v2.1.6

Full Changelog: node-saml/xml-crypto@v2.1.5...v2.1.6

This addresses two critical CVE:

• CVE-2025-29774
• CVE-2025-29775

Please note that this version of xml-crypto is an older version of this library and you are encouraged to update to the latest release. This fix was provided because of the severity of the issue and doesn't include other enhancements, security or otherwise, that have been otherwise made to the latest releases.

v2.1.5

What's Changed

• 2.1.5: bump @​xmldom/xmldom to 0.7.9 by @​jncr in yaronn/xml-crypto#263

New Contributors

• @​jncr made their first contribution in yaronn/xml-crypto#263

Full Changelog: node-saml/xml-crypto@v2.1.4...v2.1.5

v2.1.4

Contains the following changes:

• #242

v2.1.3

Update xmldom to 0.7.0 (#236)

v2.1.2

Bump xmldom to 0.6.0 (13c986a)

v2.1.1

Update xpath to latest (44d12ab)

v2.1.0

Bump JUnit, xmldom (#217, #225) Use existing namespaces while looking up nodes (#218) Don't pull example into module build (#220)

v2.0.0

Disable HMAC by default

Due to the potential of a key confusion vulnerability in support of HMAC-SHA1, the HMAC-SHA1 "signing" algorithm has been disabled by default.

Previously, in certain situations it was possible to bypass signing checks by maliciously changing the algorithm to HMAC-SHA1 and using the public key as the HMAC secret.

If you need to validate an HMAC signature, you now must first call SignedXml.enableHMAC().

All users are encouraged to upgrade.

... (truncated)

Changelog

Sourced from xml-crypto's changelog.

Changelog

6.0.0 (2024-01-26)

💣 Major Changes

• [breaking-change] Set getCertFromKeyInfo to noop #445

🔗 Dependencies

• [dependencies] [github_actions] Bump github/codeql-action from 2 to 3 #434

📚 Documentation

• [documentation] Chore: Update README.md #432

---

v5.1.1 (2024-01-17)

🐛 Bug Fixes

• [bug] fix: template literal #443

---

v5.1.0 (2024-01-07)

🚀 Minor Changes

• [enhancement] Enhance derToPem to support XML pretty-print #439

🔗 Dependencies

• [dependencies] [javascript] Bump @​typescript-eslint/parser from 6.13.0 to 6.18.1 #442
• [dependencies] [javascript] Bump @​typescript-eslint/eslint-plugin from 6.13.0 to 6.18.1 #441
• [dependencies] [javascript] Bump follow-redirects from 1.15.3 to 1.15.4 #440
• [dependencies] [javascript] Bump eslint from 8.54.0 to 8.56.0 #436
• [dependencies] [javascript] Bump @​types/node from 16.18.65 to 16.18.69 #435
• [dependencies] [javascript] Bump release-it from 16.2.1 to 16.3.0 #428

---

v5.0.0 (2023-11-27)

💣 Major Changes

• [breaking-change] Mark getKeyInfo() private as it has no public consumers #412
• [breaking-change] Remove the default for getKeyInfoContent forcing a consumer to choose #411
• [documentation] [breaking-change] Remove default for transformation algorithm #410

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by cjbarth, a new releaser for xml-crypto since your current version.

Updates xml2js from 0.2.8 to 0.5.0

Commits

• 9f730bb Update package.json with latest PR
• 50a492a Merge pull request #603 from autopulated/master
• 7bc3c5d Merge pull request #598 from fnimick/master
• f412a12 Merge pull request #635 from wisesimpson/patch-1
• d318ce0 Update README.md
• 581b19a use Object.create(null) to create all parsed objects (prevent prototype repla...
• a212950 Add documentation for explicitCharkey option
• 1832e0b Merge pull request #512 from economia/master
• 198063c Merge pull request #556 from Omega-Ariston/fix-issue544
• 0d71785 Merge pull request #562 from Omega-Ariston/addDocExample
• Additional commits viewable in compare view

Updates xmldom from 0.1.16 to 0.1.27

Changelog

Sourced from xmldom's changelog.

0.1.27

Published by @​jindw on the 28th of Nov 2016 as

• xmldom@0.1.27

• xmldom-alpha@0.1.27

• Various bug fixes.

0.1.26

Published on the 18th of Nov 2016 as xmldom@0.1.26

• Details unknown

0.1.25

Published on the 18th of Nov 2016 as

• xmldom@0.1.25

• Details unknown

0.1.24

Published on the 27th of November 2016 as

• xmldom@0.1.24

• xmldom-alpha@0.1.24

• Added node filter.

0.1.23

Published on the 5th of May 2016 as

• xmldom-alpha@0.1.23

• Add namespace support for nest node serialize.

• Various other bug fixes.

0.1.22

• Merge XMLNS serialization.
• Remove \r from source string.
• Print namespaces for child elements.
• Switch references to nodeType to use named constants.
• Add nodelist toString support.

0.1.21

• Fix serialize bug.

... (truncated)

Commits

• 0ee90e6 some bugfix
• b53aa82 Merge branch 'master' of https://github.com/jindw/xmldom.git
• d4dcfa9 Merge pull request #159 from nfischer/use-named-constants
• a58dcf7 add node filter
• bafdf2c bug fixed
• b7a4daa add namespace support for nest node serialize
• 01170ab Merge branch 'master' of https://github.com/jindw/xmldom.git
• 1d45d32 commit
• abd0b0c merge xmlns seria
• c7b104d Merge pull request #167 from PeculiarVentures/master
• Additional commits viewable in compare view

Updates mailparser from 0.5.1 to 3.9.3

Release notes

Sourced from mailparser's releases.

mailparser: v3.8.1

3.8.1 (2025-11-05)

Bug Fixes

• trigger new build (7f2eb78)

mailparser: v3.8.0

3.8.0 (2025-11-04)

Bug Fixes

• deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)

Changelog

Sourced from mailparser's changelog.

3.9.3 (2026-01-28)

Bug Fixes

• escape URLs and link text in textToHtml to prevent XSS (921a67d), closes #412

3.9.2 (2026-01-28)

Bug Fixes

• Bumpe deps (508bcf7)

3.9.1 (2025-12-11)

Bug Fixes

• update dependencies (6879d1b)

3.9.0 (2025-11-05)

Features

• events: Emit a new headerLines event to gain access the raw headers (#364) (d33d7ec)

Bug Fixes

• ⬆️ update nodemailer dependency to resolve security issue GHSA-9h6g-pr28-7cqp (#357) (8bc4225)
• 150 (919f69a)
• 272: Throw TypeError for invalid input. (abd7e43)
• 34, bump version (09aa0bd)
• bumped deps (9a13f4e)
• Bumped deps (bb9c014)
• Bumped deps (9e084f9)
• Bumped mailsplit to fix flowed parser (da753e4)
• capture decoder end event to use on cleanup (4e367f7)
• deploy: added auto-deployment (d6eb56f)
• deps: Bumped deps (db842ad)
• deps: Bumped deps to fix issue with missing whitespace (92884d0)
• deps: Bumped Nodemailer to fix issue with long data URI's (d24f96e)
• deps: Replaced 'punycode' with 'punycode.js' module (4a15157)
• error on ks_c_5601-1987 (89572e0)
• Fix produced text address list string according to rfc 2822 (#340) (6bae600)
• handle simpleParser input stream error (faf9fc5)
• punycode: Fixes #355 Deprecation warning of the punycode module (#356) (0f35330)
• simple-parser: Buffer.from(string) default encode is utf-8,when input string‘s encode is gbk,result has some garbled (633e436)

... (truncated)

Commits

• 05db224 chore(master): release 3.9.3 [skip-ci]
• 921a67d fix: escape URLs and link text in textToHtml to prevent XSS
• bb325f1 chore(master): release 3.9.2 [skip-ci]
• 508bcf7 fix: Bumpe deps
• 0e71fed docs: add maintenance mode notice to README
• 2205e48 chore(master): release 3.9.1 [skip-ci]
• 6879d1b fix: update dependencies
• 3e1e029 chore(master): release 3.9.0 [skip-ci]
• b831000 Merge branch 'master' of github.com:nodemailer/mailparser
• 3cf6241 fix: trigger new build
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for mailparser since your current version.

Updates jszip from 2.7.0 to 3.10.1

Changelog

Sourced from jszip's changelog.

v3.10.1 2022-08-02

• Add sponsorship files.
  • If you appreciate the time spent maintaining JSZip then I would really appreciate your sponsorship.
• Consolidate metadata types and expose OnUpdateCallback #851 and #852
• use const instead var in example from README.markdown #828
• Switch manual download link to HTTPS #839

Internals:

• Replace jshint with eslint #842
• Add performance tests #834

v3.10.0 2022-05-20

• Change setimmediate dependency to more efficient one. Fixes Stuk/jszip#617 (see #829)
• Update types of currentFile metadata to include null (see #826)

v3.9.1 2022-04-06

• Fix recursive definition of InputFileFormat introduced in 3.9.0.

v3.9.0 2022-04-04

• Update types JSZip#loadAsync to accept a promise for data, and remove arguments from new JSZip() (see #752)
• Update types for compressionOptions to JSZipFileOptions and JSZipGeneratorOptions (see #722)
• Add types for generateInternalStream (see #774)

v3.8.0 2022-03-30

• Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

v3.7.1 2021-08-05

• Fix build of dist files.
  • Note: this version ensures the changes from 3.7.0 are actually included in the dist files. Thanks to Evan W for reporting.

v3.7.0 2021-07-23

• Fix: Use a null prototype object for this.files (see #766)
  • This change might break existing code if it uses prototype methods on the .files property of a zip object, for example zip.files.toString(). This approach is taken to prevent files in the zip overriding object methods that would exist on a normal object.

v3.6.0 2021-02-09

• Fix: redirect main to dist on browsers (see #742)
• Fix duplicate require DataLengthProbe, utils (see #734)
• Fix small error in read_zip.md (see #703)

v3.5.0 2020-05-31

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.