fix(deps): update dependency jszip to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jszip	2.6.1 -> 3.8.0

GitHub Vulnerability Alerts

CVE-2021-23413

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

CVE-2022-48285

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.

---

Release Notes

Stuk/jszip (jszip)

v3.8.0

Compare Source

• Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

v3.7.1

Compare Source

• Fix build of dist files.
  • Note: this version ensures the changes from 3.7.0 are actually included in the dist files. Thanks to Evan W for reporting.

v3.7.0

Compare Source

• Fix: Use a null prototype object for this.files (see #​766)
  • This change might break existing code if it uses prototype methods on the .files property of a zip object, for example zip.files.toString(). This approach is taken to prevent files in the zip overriding object methods that would exist on a normal object.

v3.6.0

Compare Source

• Fix: redirect main to dist on browsers (see #​742)
• Fix duplicate require DataLengthProbe, utils (see #​734)
• Fix small error in read_zip.md (see #​703)

v3.5.0

Compare Source

• Fix 'End of data reached' error when file extra field is invalid (see #​544).
• Typescript definitions: Add null to return types of functions that may return null (see #​669).
• Typescript definitions: Correct nodeStream's type (see #​682)
• Typescript definitions: Add string output type (see #​666)

v3.4.0

Compare Source

• Add Typescript type definitions (see #​601).

v3.3.0

Compare Source

• Change browser module resolution to support Angular packager (see #​614).

v3.2.2

Compare Source

• No public changes, but a number of testing dependencies have been updated.
• Tested browsers are now: Internet Explorer 11, Chrome (most recent) and Firefox (most recent). Other browsers (specifically Safari) are still supported however testing them on Saucelabs is broken and so they were removed from the test matrix.

v3.2.1

Compare Source

• Corrected built dist files

v3.2.0

Compare Source

• Update dependencies to reduce bundle size (see #​532).
• Fix deprecated Buffer constructor usage and add safeguards (see #​506).

v3.1.5

Compare Source

• Fix IE11 memory leak (see #​429).
• Handle 2 nodejs deprecations (see #​459).
• Improve the "unsupported format" error message (see #​461).
• Improve webworker compatibility (see #​468).
• Fix nodejs 0.10 compatibility (see #​480).
• Improve the error without type in async() (see #​481).

v3.1.4

Compare Source

• consistently use our own utils object for inheritance (see #​395).
• lower the memory consumption in generate* with a lot of files (see #​449).

v3.1.3

Compare Source

• instanceof failing in window / iframe contexts (see #​350).
• remove a copy with blob output (see #​357).
• fix crc32 check for empty entries (see #​358).
• fix the base64 error message with data uri (see #​359).

v3.1.2

Compare Source

• fix support of nodejs process.platform in generate* methods (see #​335).
• improve browserify/webpack support (see #​333).
• partial support of a promise of text (see #​337).
• fix streamed zip files containing folders (see #​342).

v3.1.1

Compare Source

• Use a hard-coded JSZip.version, fix an issue with webpack (see #​328).

v3.1.0

Compare Source

• utils.delay: use macro tasks instead of micro tasks (see #​288).
• Harden base64 decode (see #​316).
• Add JSZip.version and the version in the header (see #​317).
• Support Promise(Blob) (see #​318).
• Change JSZip.external.Promise implementation (see #​321).
• Update pako to v1.0.2 to fix a DEFLATE bug (see #​322).

v3.0.0

Compare Source

This release changes a lot of methods, please see the upgrade guide.

• replace sync getters and generate() with async methods (see #​195).
• support nodejs streams (in file() and generateAsync()).
• support Blob and Promise in file() and loadAsync() (see #​275).
• add support.nodestream.
• zip.filter: remove the defensive copy.
• remove the deprecated API (see #​253).
• type is now mandatory in generateAsync().
• change the createFolders default value (now true).
• Dates: use UTC instead of the local timezone.
• Add base64 and array as possible output type.
• Add a forEach method.
• Drop node 0.8 support (see #​270).

v2.7.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.