Move away from unmaintained fstream
apupier opened this issue · 7 comments
fstream is no more maintained:
- repository is archived https://github.com/npm/fstream
- last release is 1.0.12 and was 3 years ago https://github.com/npm/fstream/releases/tag/v1.0.12
There is a critical CVE in the chain of dependency to minimist:
minimist <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
maybe not affected but even in this case it gives a false positive when using npm audit which is not convenient)
└─┬ unzipper@0.10.11
└─┬ fstream@1.0.12
└─┬ mkdirp@0.5.5
└── minimist@1.2.5
fstream has a new vulnerability in its dependencies, through rimraf > glob > and inflight (which is not maintained)
https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
Would love for this to be updated!
Also note that fstream can write file contents out-of-order, because of a node.js bug in v18.16+.
This is the source of these corrupted file issues:
The bug will be fixed in future releases of node.js. But for now, everyone really needs to stop using fstream.
Edit:
This issue has been fixed in the following node.js versions:
@ZJONSSON Please update the fstream package issue, and create a new release. As exceljs a package which is dependent on node-unzipper shows vulnerability and thus the package cannot be used in places where vulnerabilities are considered a big risk.
I don't believe exceljs uses any of the fstream functionality, so there is not a real vulnerability here.
However I do agree we should move away from fstream, but I am going to need some help. Which package provides the same functionality of "safely" recursively creating directories when they don't exist etc. Do you mind supplying a PR @AyushAher