fix(deps): update file-type to 21.3.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
file-type	19.6.0 → 21.3.1

GitHub Vulnerability Alerts

CVE-2026-31808

Impact

A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever.

Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.

Patches

Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

Workarounds

Validate or limit the size of input buffers before passing them to file-type, or run file type detection in a worker thread with a timeout.

References

• Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f

Reporter

crnkovic@lokvica.com

---

Release Notes

sindresorhus/file-type (file-type)

v21.3.1

Compare Source

• Fix infinite loop in ASF parser on malformed input 319abf8

---

v21.3.0

Compare Source

• Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#​779) d223491

---

v21.2.0

Compare Source

• Add support for SPSS data files (#​787) 889f638
• Add support for JMP (#​784) 093dba0

---

v21.1.1

Compare Source

• Fix handling of partial Gunzip file (#​783) 710e053

---

v21.1.0

Compare Source

• Add support for .tar.gz (gunzipped tarball file) (#​763) eda03a7
• Add support for Windows registry (.reg) files 0db61ec 7d2ddcf
• Add support for Windows registry hive file (.dat) (#​767) f8d62be
• Fix: Handle partial unzip (#​773) 7ad3a90

---

v21.0.0

Compare Source

Breaking

• Require Node.js 20 24aec1f
• Drop Adobe Illustrator (.ai) detection support (#​743) af169f3
• Correct Matroska (video) MIME-type to formal IANA registration (#​753) f53f5ff
• Correct FLAC MIME-type to formal IANA registration (#​755) b9fda36
• Correct Apache Parquet MIME-type to formal IANA registration (#​748) 98e3f8e
• Correct Apache Arrow MIME-type to formal IANA registration (#​754) 7184775

Improvements

• Allow options to be directly passed to exported functions (#​752) d264029
• Add mpegOffsetTolerance option (#​646) c40840a

Fixes

• Fix detection of some PAX TAR formats (#​762) 574d0d6

---

v20.5.0

Compare Source

• Add support Office PowerPoint 2007 (macro-enabled) slide show (#​747) f1b4c7a

---

v20.4.1

Compare Source

• Add workaround for using bundler as the module-resolution in TypeScript (#​744) 90bfe33

---

v20.4.0

Compare Source

• Add support for OpenType Font Collection (TTC) (#​737) 3e576a6

---

v20.3.0

Compare Source

• Add node subpath export (#​741) 8d39f66
• Allow require to load file-type as ES Module (#​736) 8d39f66

---

v20.2.0

Compare Source

• Add support for RealMedia (#​740) d05d49d

---

v20.1.0

Compare Source

• Improve WebP detection (#​733) ef486f1

---

v20.0.1

Compare Source

• Fix detecting small PDF file (#​728) f34e9f7

---

v20.0.0

Compare Source

Breaking

• Drop MIME-type and extension enumeration in types (#​693) 0ff11c6
• Remove NodeFileTypeParser in favor of using FileTypeParser on all platforms (#​707) ff8eed8

Improvements

• Give API access to FileTypeParser#detectors (#​704) 7e72bbc
• Improve Nikon RAW NEF (Tiff) format detection (#​670) cf6fc1e
• Add support for Java archive (.jar) (#​719) 8651809
• Add support for MSOffice macro-enabled docs and templates (#​720) 7fe5667
• Add support for OpenDocument graphics and templates (#​718) 4db407d
• Add support for Microsoft Excel template with macros (.xltm) (#​714) 1fe621a
• Add support for Microsoft Word template (.dotx) (#​713) 643ef78
• Add support for Microsoft Excel template (.xltx) (#​712) 0dab3e0
• Add support for Microsoft PowerPoint template ( .potx) (#​710) f978619
• Add support for ZIP decompression using @tokenizer/inflate (#​695) 399b0f1
• Add support for .lz4 file format (#​706) 74acf94
• Add support for format .drc, Google's Draco 3D Data Compression (#​702) e99257d

Fixes

• Fix code sequence "File Type Box" detection (#​705) 7d4dd8d

---

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: enzyme-adapter-react-16@1.15.8
npm error Found: react@18.3.1
npm error node_modules/react
npm error   react@"^18.3.1" from the root project
npm error   peer react@">=16.8.0" from @emotion/react@11.13.3
npm error   node_modules/@emotion/react
npm error     @emotion/react@"11.13.3" from the root project
npm error     peer @emotion/react@"^11.0.0-rc.0" from @emotion/styled@11.13.0
npm error     node_modules/@emotion/styled
npm error       @emotion/styled@"11.13.0" from the root project
npm error     1 more (react-select)
npm error   32 more (@emotion/styled, ...)
npm error
npm error Could not resolve dependency:
npm error peer react@"^16.0.0-0" from enzyme-adapter-react-16@1.15.8
npm error node_modules/enzyme-adapter-react-16
npm error   dev enzyme-adapter-react-16@"^1.15.3" from the root project
npm error
npm error Conflicting peer dependency: react@16.14.0
npm error node_modules/react
npm error   peer react@"^16.0.0-0" from enzyme-adapter-react-16@1.15.8
npm error   node_modules/enzyme-adapter-react-16
npm error     dev enzyme-adapter-react-16@"^1.15.3" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-03-13T16_40_17_201Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-03-13T16_40_17_201Z-debug-0.log