Skip to content

[stable32] chore(deps-dev): bump @zip.js/zip.js from 2.8.26 to 2.8.29#62303

Open
dependabot[bot] wants to merge 1 commit into
stable32from
dependabot/npm_and_yarn/stable32/zip.js/zip.js-2.8.29
Open

[stable32] chore(deps-dev): bump @zip.js/zip.js from 2.8.26 to 2.8.29#62303
dependabot[bot] wants to merge 1 commit into
stable32from
dependabot/npm_and_yarn/stable32/zip.js/zip.js-2.8.29

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 18, 2026

Copy link
Copy Markdown
Contributor

Bumps @zip.js/zip.js from 2.8.26 to 2.8.29.

Release notes

Sourced from @​zip.js/zip.js's releases.

v2.8.29

Bug fixes

  • Bounded memory when streaming large entries. The compression path now applies backpressure through the codec, pacing the input to the rate the compressor consumes it. Previously, writing a large entry could grow memory in proportion to the entry size — a 256 MB file peaked around 390 MB — because the platform's native CompressionStream does not apply writable backpressure in Node.js and Bun. Peak memory is now flat regardless of entry size (~99 MB for that same 256 MB file), with no throughput cost. (d18f4e3a)

  • A provided zlib codec is no longer discarded when the WASM module is unavailable. If you supply a self-contained CompressionStreamZlib / DecompressionStreamZlib (e.g. the pure-JS port) with useCompressionStream: false and no WASM module (wasmURI: null, or a failed load), the library used to silently fall back to the native CompressionStream. Your codec is now honored; the native fallback applies only when the codec that would actually run depends on the WASM module. (a67c54e1)

Other

  • Added a reproducible benchmark suite (benchmarks/) and BENCHMARKS.md comparing @zip.js/zip.js against jszip, fflate and archiver across compression, decompression and disk-to-disk streaming. (65178e72)
  • Tests: the crypto error-path tests opt out of Deno's resource sanitizer, working around a Deno bug where cancelling a transferred, still-open ReadableStream leaks a MessagePort (reported upstream — denoland/deno#36015). (454f79ec)

v2.8.28

What's Changed

This release contains an unusually large number of fixes resulting from an in-depth audit of the codebase, along with several new features. All fixes are covered by new regression tests, and the produced archives were validated against external tools (7z, unzip, ditto, Python).

New features

  • Add the checkAmbiguity option to ZipReader to detect and reject ambiguous archives: concatenated archives, trailing central directory records, mismatched zip64 records, duplicate filenames, and local file headers contradicting the central directory
  • Add the fetch option to HttpReader and HttpRangeReader in gildas-lormeau/zip.js#655
  • Add the workerStarvationTimeout option to configure() and run starved codecs without worker to prevent deadlocks
  • Support the offset option with split archives
  • Support the rawPassword option with ZipCrypto
  • Add index.cjs/index-native.cjs subpath exports and a react-native condition in package.json in gildas-lormeau/zip.js#651
  • Add the ERR_AMBIGUOUS_ARCHIVE, ERR_INVALID_COMPRESSED_DATA and ERR_UNDEFINED_READER error constants

Deflate64

  • Fix decompression of entries containing matches longer than 258 bytes (length code 285) in gildas-lormeau/zip.js#661 — the wasm fix was contributed by @​Chagrins in gildas-lormeau/zlib-streams#1
  • Add the deflate64 option to the reserved properties of inline web workers (web workers silently decompressed Deflate64 entries with the deflate32 codec)

Security

  • Always verify the AES authentication code when decrypting entries
  • Compare the ZipCrypto password verification byte in constant time
  • Throw ERR_UNSUPPORTED_CRYPTO_API instead of falling back to an insecure pseudo-random generator when the Web Crypto API is unavailable, and remove the unused pseudo-random fallback from sjcl.js
  • Detect overlapping entries regardless of check order, and when reading entries multiple times
  • Throw zip.js errors instead of RangeError on malformed archives

Behavior changes

No API was removed or changed, but some intentional behavior changes are worth noting:

  • dataDescriptorSignature now defaults to true: archives grow by 4 bytes per entry when data descriptors are used, and output bytes differ (fixes extraction with macOS ditto)
  • add() with passThrough set and no reader throws ERR_UNDEFINED_READER instead of silently producing corrupt output
  • add() with an unsupported compressionMethod throws instead of producing an unreadable entry
  • Extra fields totaling over 64KB throw instead of writing a corrupt header
  • add(name) without reader now writes a well-defined empty stored entry
  • Extended timestamps outside the signed 32-bit range are omitted (the NTFS field carries the exact value); reads treat the field as signed per the spec

... (truncated)

Commits
  • 23f838d bump up version
  • 3b5456f update doc
  • 65178e7 add benchmark suite and results comparing against jszip, fflate and archiver
  • 454f79e opt error-path crypto tests out of Deno's resource sanitizer
  • b8bbeff update built files
  • a67c54e keep a provided zlib codec when the WASM module fails to load
  • 95f58e0 update built files
  • d18f4e3 apply backpressure when streaming entries through the compression codec
  • 5634c6b update doc
  • 9b8df6d bump up version
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@zip.js/zip.js](https://github.com/gildas-lormeau/zip.js) from 2.8.26 to 2.8.29.
- [Release notes](https://github.com/gildas-lormeau/zip.js/releases)
- [Commits](gildas-lormeau/zip.js@v2.8.26...v2.8.29)

---
updated-dependencies:
- dependency-name: "@zip.js/zip.js"
  dependency-version: 2.8.29
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot requested a review from a team as a code owner July 18, 2026 03:20
@dependabot
dependabot Bot requested a review from a team as a code owner July 18, 2026 03:20
@dependabot
dependabot Bot requested review from kristian-zendato, nfebe and sorbaugh and removed request for a team July 18, 2026 03:20
@github-actions github-actions Bot changed the title chore(deps-dev): bump @zip.js/zip.js from 2.8.26 to 2.8.29 [stable32] chore(deps-dev): bump @zip.js/zip.js from 2.8.26 to 2.8.29 Jul 18, 2026
@github-actions
github-actions Bot enabled auto-merge July 18, 2026 03:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants