I keep seeing this in my error log:

error Error: If encoding is specified then the first argument must be a string
     at new Buffer (buffer.js:106:13)
     at Readable.<anonymous> (../node_modules/archiver-utils/index.js:39:15)

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update actions/checkout action to v4.1.7
• Update actions/setup-node action to v4.0.4
• Update dependency rimraf to v5.0.10
• Update dependency chai to v4.5.0
• Update dependency glob to v10.4.5
• Update dependency mocha to v10.7.3
• Update dependency chai to v5
• Update dependency glob to v11
• Update dependency is-stream to v3
• Update dependency is-stream to v4
• Update dependency rimraf to v6
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

[email protected] depends on [email protected] package which also has a vulnerable dependency '[email protected]'.
As per 'isaacs/inflight-DEPRECATED-DO-NOT-USE#18' vulnerable dependency is being fixed in [email protected].

✅ What did you expect to see?
Cucumber lib using an updated version of glob. > 9.0.0 without any vulnerabilities

📦 Which tool/library version are you using?
4.0.1

🔬 How could we reproduce it?
Steps to reproduce the behavior:

Install [email protected]
npm ls inflight
Observe that archiver-utils is dependent is [email protected] -> [email protected]

The walkdir method is susceptible to maximum call stack sized exceeded errors.

Calling walkdir on my root directory as follows:

var utils = require('archiver-utils');

utils.walkdir('/', function(err, data) {
console.log('done');
})

Results in:

536379 //this count is the number of times next() was called

/Users/loehrm1/code/rueltest/node_modules/archiver-utils/index.js:149
Array.prototype.push.apply(results, res);
^
RangeError: Maximum call stack size exceeded
at /Users/loehrm1/code/rueltest/node_modules/archiver-utils/index.js:149:34
at next (/Users/loehrm1/code/rueltest/node_modules/archiver-utils/index.js:134:16)
at /Users/loehrm1/code/rueltest/node_modules/archiver-utils/index.js:151:13
at next (/Users/loehrm1/code/rueltest/node_modules/archiver-utils/index.js:134:16)
at /Users/loehrm1/code/rueltest/node_modules/archiver-utils/index.js:155:11
at Object.oncomplete (fs.js:108:15)

The version [email protected] is use module inflight, this module do not update for 7 years, in order to fix the security issue CWE-772 need to upgrade glob version to 10.3.10, please help to upgrade.

Hey, I'm running into EMFILE on line 118 of index.js.
Would it be possible to include fs-extra, graceful-fs, or something to that effect instead of native fs?

Thanks.

https://www.npmjs.com/package/archiver-utils

See: https://www.huntr.dev/bounties/e4e1393c-d590-4492-9f43-8be3f3321629/

Please upgrade the glob dependency to at least version 7.2.1 (https://github.com/isaacs/node-glob/releases/tag/v7.2.1). Version 7.2.1 has updated the minimatch dependency from vulnerable version 3.0.4 to mitigated version 3.1.1.

isaacs/node-glob@73feafd#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L23

Here is my dependency resolution tree.

+-- [email protected]
| +-- [email protected]
| | `-- [email protected]
| |   `-- [email protected]  deduped
| `-- [email protected]
|   `-- [email protected]  deduped
`-- UNMET PEER DEPENDENCY [email protected]
  +-- @eslint/[email protected]
  | `-- [email protected]  deduped
  +-- @humanwhocodes/[email protected]
  | `-- [email protected]  deduped
  `-- [email protected]

Hello,

I'm using node-archiver quite happily but while doing my periodical dependency update procedure, I came across a transient dependency to [email protected] which is quite outdated as v4 has been out for quite some time.
This package quite justly depends on readable-stream@4 but also depends on lazystream@1 which is the one that brings in the outdated dependency to [email protected]
An issue already exists on the lazystream project (jpommerening/node-lazystream#7) but it seems that the project has been dormant for quite some time without any progress on an eventual transfer to a new home (jpommerening/node-lazystream#3 (comment))

Do you think it would be feasible to remove the dependency to lazystream by replacing it by something else, or integrating the functionality directly?

I am trying to archive a big file (around 3G) using npm archiver module. When I do, I run into following error message.

buffer.js:224
    throw err;
    ^

RangeError: "size" argument must not be larger than 2147483647
    at Function.Buffer.alloc (buffer.js:233:3)
    at new Buffer (buffer.js:156:19)
    at Readable.<anonymous> (/home/04040/hayashis/app/node-v8.12.0-linux-x64/lib/node_modules/brainlife/node_modules/archiver-utils/index.js:39:15)
    at emitNone (events.js:111:20)
    at Readable.emit (events.js:208:7)
    at endReadableNT (/home/04040/hayashis/app/node-v8.12.0-linux-x64/lib/node_modules/brainlife/node_modules/readable-stream/lib/_stream_readable.js:1010:12)
    at _combinedTickCallback (internal/process/next_tick.js:139:11)
    at process._tickCallback (internal/process/next_tick.js:181:9)

Looks like this function is dead code.

right now, archiver-utils depends on the full lodash module; by switching to the specialized lodash modules, we can reduce the overall node_module install size from 8.8MB to 4.2MB

When running the parent archiver utility the following warning is printed to the console:

[DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. 
Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. 

If the user doesn't have permission on a file/dir, utils.walkdir results in an Uncaught TypeError because res is null.

if (stats && stats.isDirectory()) {
  utils.walkdir(filepath, base, function(err, res) {
    res.forEach(function(dirEntry) {
      results.push(dirEntry);
    });
    next();
  });
}

The latest lodash.defaults on npmjs is 4.2.0 at https://www.npmjs.com/package/lodash.defaults, which was published about 4 years ago.

There are a couple of vulnerabilities relevant to [email protected] at

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Alodash&cpe_product=cpe%3A%2F%3Alodash%3Alodash&cpe_version=cpe%3A%2F%3Alodash%3Alodash%3A4.2.0

Please consider to depend on lodash, instead of the specialized ones that are out of publish actually.

Could you please remove or rename one of the "homepage" keys in the package.json. The duplicate keys are causing issues with some tooling we use. Thank you.