Update dependency file-type to v21 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
file-type	16.5.4 → 21.3.1

---

file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

CVE-2026-31808 / GHSA-5v7r-6r5c-r473

More information

Details

Impact

A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever.

Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.

Patches

Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

Workarounds

Validate or limit the size of input buffers before passing them to file-type, or run file type detection in a worker thread with a timeout.

References

• Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f

Reporter

crnkovic@lokvica.com

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473
• https://nvd.nist.gov/vuln/detail/CVE-2026-31808
• https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f
• https://github.com/advisories/GHSA-5v7r-6r5c-r473

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sindresorhus/file-type (file-type)

v21.3.1

Compare Source

• Fix infinite loop in ASF parser on malformed input (GHSA-5v7r-6r5c-r473) 319abf8

---

v21.3.0

Compare Source

• Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#​779) d223491

---

v21.2.0

Compare Source

• Add support for SPSS data files (#​787) 889f638
• Add support for JMP (#​784) 093dba0

---

v21.1.1

Compare Source

• Fix handling of partial Gunzip file (#​783) 710e053

---

v21.1.0

Compare Source

• Add support for .tar.gz (gunzipped tarball file) (#​763) eda03a7
• Add support for Windows registry (.reg) files 0db61ec 7d2ddcf
• Add support for Windows registry hive file (.dat) (#​767) f8d62be
• Fix: Handle partial unzip (#​773) 7ad3a90

---

v21.0.0

Compare Source

Breaking

• Require Node.js 20 24aec1f
• Drop Adobe Illustrator (.ai) detection support (#​743) af169f3
• Correct Matroska (video) MIME-type to formal IANA registration (#​753) f53f5ff
• Correct FLAC MIME-type to formal IANA registration (#​755) b9fda36
• Correct Apache Parquet MIME-type to formal IANA registration (#​748) 98e3f8e
• Correct Apache Arrow MIME-type to formal IANA registration (#​754) 7184775

Improvements

• Allow options to be directly passed to exported functions (#​752) d264029
• Add mpegOffsetTolerance option (#​646) c40840a

Fixes

• Fix detection of some PAX TAR formats (#​762) 574d0d6

---

v20.5.0

Compare Source

• Add support Office PowerPoint 2007 (macro-enabled) slide show (#​747) f1b4c7a

---

v20.4.1

Compare Source

• Add workaround for using bundler as the module-resolution in TypeScript (#​744) 90bfe33

---

v20.4.0

Compare Source

• Add support for OpenType Font Collection (TTC) (#​737) 3e576a6

---

v20.3.0

Compare Source

• Add node subpath export (#​741) 8d39f66
• Allow require to load file-type as ES Module (#​736) 8d39f66

---

v20.2.0

Compare Source

• Add support for RealMedia (#​740) d05d49d

---

v20.1.0

Compare Source

• Improve WebP detection (#​733) ef486f1

---

v20.0.1

Compare Source

• Fix detecting small PDF file (#​728) f34e9f7

---

v20.0.0

Compare Source

Breaking

• Drop MIME-type and extension enumeration in types (#​693) 0ff11c6
• Remove NodeFileTypeParser in favor of using FileTypeParser on all platforms (#​707) ff8eed8

Improvements

• Give API access to FileTypeParser#detectors (#​704) 7e72bbc
• Improve Nikon RAW NEF (Tiff) format detection (#​670) cf6fc1e
• Add support for Java archive (.jar) (#​719) 8651809
• Add support for MSOffice macro-enabled docs and templates (#​720) 7fe5667
• Add support for OpenDocument graphics and templates (#​718) 4db407d
• Add support for Microsoft Excel template with macros (.xltm) (#​714) 1fe621a
• Add support for Microsoft Word template (.dotx) (#​713) 643ef78
• Add support for Microsoft Excel template (.xltx) (#​712) 0dab3e0
• Add support for Microsoft PowerPoint template ( .potx) (#​710) f978619
• Add support for ZIP decompression using @tokenizer/inflate (#​695) 399b0f1
• Add support for .lz4 file format (#​706) 74acf94
• Add support for format .drc, Google's Draco 3D Data Compression (#​702) e99257d

Fixes

• Fix code sequence "File Type Box" detection (#​705) 7d4dd8d

---

v19.6.0

Compare Source

• Add ability to abort async operations (#​667) 5ce98f3
• Add support for APK (#​679) 7b10012
• Fix Opus MIME-type (#​682) 4dcb8c5
• Fix: Ensure web-stream is released after detection (#​680) 9945877

v19.5.0

Compare Source

• Add support for WebVTT (#​658) 21ed763

v19.4.1

Compare Source

• Fix passing options to fileTypeStream in default entry point (#​653) ea314a4

v19.4.0

Compare Source

• Add support for web streams for fileTypeStream() (#​649) 2000141
• Fix options in combination with fileTypeStream() (#​650) bd3b5a4

v19.3.0

Compare Source

• Add support for Microsoft Visio files (#​647) 2744be7

v19.2.0

Compare Source

• Add NodeFileTypeParser#fromFile() (#​644) 9d2ee02
• Update dependencies (#​645) 6440b3d

v19.1.1

Compare Source

• Fix Node.js entry point export fileTypeFromTokenizer (#​639) 20fdba7

v19.1.0

Compare Source

• Replace Buffer usage with Uint8Array (#​633) 00e051b
• Add support for reading from a web stream (#​635) b815b5e

Release notes

• Please note that fileTypeFromBlob(blob) is streaming the Blob instead of buffering, which require at least Node.js ≥ 20.

v19.0.0

Compare Source

Breaking

• Require Node.js 18 7f4b30b
• Use mime type audio/wav instead of audio/vnd.wave for .wav files (#​620) c7c923c

v18.7.0

Compare Source

• Add support for FBX (Filmbox) (#​605) 4b7eb75
• Support adding custom detectors (#​603) f5b232c

v18.6.0

Compare Source

• Add support for Mach-O (#​615) ec4980b

v18.5.0

Compare Source

• Add support for ICC (#​601) 0ccebb1

v18.4.0

Compare Source

• Add support for Avro (#​597) 34ab7d4

v18.3.0

Compare Source

• Support reading from Blob in Node.js (#​588) 1c75cfb
• Add support for J2C (#​596) 51bd34c
• Add support for ACE (#​592) 1899fc1
• Add support for cpio (#​590) f84e96c
• Add support for ARJ (#​589) 935470e
• Add support for Java class (#​591) a40f828

v18.2.1

Compare Source

• Fix handling of tiny PDFs (#​580) edf59f8

v18.2.0

Compare Source

• Add support for Apache Parquet (#​576) 1ec164b

v18.1.0

Compare Source

Improvements

• Add support for AutoDesk DWG format (#​572) 47aa221
• Add support for Personal Storage Table (PST) file (.pst) (#​573) ec3ba33
• Add support for JPEG-LS (.jls) (#​568) 976ed4b

Fixes

• Fix parsing big-endian encoded TIFF file (#​571) e8bc341

v18.0.0

Compare Source

Breaking

• Require Node.js 14 6d457c5

v17.1.6

Compare Source

• Fix an import path (#​553) e843d73

v17.1.5

Compare Source

• Fix PDF detection in some cases a0c24eb

v17.1.4

Compare Source

• Fix a problem with a dependency (#​549) 20a90ab

v17.1.3

Compare Source

• Fix: Malformed MKV could cause an infinite loop 2c4d120
  • CVE-2022-36313
  • Also backported to 16.5.4

v17.1.2

Compare Source

• Improve decoding of mime-type in ZIP file (#​546) 1b10a71

v17.1.1

Compare Source

• Update dependencies (#​519) 1a553e7

v17.1.0

Compare Source

• Add support for ELF (Unix Executable and Linkable Format) (#​514) c4983ea
• Add avif-sequence file for animation (#​512) 752afb3

v17.0.2

Compare Source

• Prevent "Concurrent read operation" error to be thrown in some cases while reading from a stream (#​510) 565f7f3

v17.0.1

Compare Source

• Update strtok3 & token-types dependencies for explicit node:buffer imports (#​507) b27fb5f

v17.0.0

Compare Source

Breaking

• Require Node.js 12.20 (#​472) 826b4ad
• This package is now pure ESM. Please read this.
• Remove the /browser sub-export 287e361
  • Browser support is now included by default.
• Moved from a default export to named exports:
  require('file-type').fromBuffer → import {fileTypeFromBuffer} from 'file-type'
require('file-type').fromFile → import {fileTypeFromFile} from 'file-type'
require('file-type').fromStream → import {fileTypeFromStream} from 'file-type'
require('file-type').fromTokenizer → import {fileTypeFromTokenizer} from 'file-type'
require('file-type').stream → import {fileTypeStream} from 'file-type'
require('file-type').extensions → import {supportedExtensions} from 'file-type'
require('file-type').mimeTypes → import {supportedMimeTypes} from 'file-type'

Improvements

• Improve WebM detection (#​486) b23be62
• Improve parsing TIFF files (#​482) 82c9ccb
• Detect both raw and BDAV versions of MPEG-2 Transport Streams (#​497) 4ce6838
• Detect XML UTF-16-BE & UTF-16-LE via pattern matching (#​490) a2cf2b3
• Support XML encoding with UTF-8 including BOM field (#​491) 8bca6b4

Fixes

• Prevent End-Of-Stream error in stream() (#​468) 67c8fcb

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • ""
• Automerge
  • Only on Sunday and Saturday (* * * * 0,6)
  • Between 12:00 AM and 12:59 PM, only on Monday (* 0-12 * * 1)
  • Between 10:00 PM and 11:59 PM, Monday through Friday (* 22-23 * * 1-5)
  • Between 12:00 AM and 04:59 AM, Tuesday through Saturday (* 0-4 * * 2-6)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

E2E Tests Failed

To view the Playwright test report locally, run:

REPORT_DIR=$(mktemp -d) && gh run download 25429996615 -n playwright-report -D "$REPORT_DIR" && npx playwright show-report "$REPORT_DIR"