deleted file mode 100644
@@ -1,56 +0,0 @@
-From 22357494f424178cb416cdb7d93b26dd4f824b36 Mon Sep 17 00:00:00 2001
-From: Michael Aquilina <michaelaquilina@gmail.com>
-Date: Mon, 14 Jun 2021 12:28:46 +0100
-Subject: [PATCH] fix: Use a null prototype object for this.files
-
-This approach is taken to prevent overriding object methods that would
-exist on a normal object Object.create({})
-
-[Retrieved from:
-https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- lib/index.js | 5 ++++-
- lib/object.js | 6 +++---
- 2 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/lib/index.js b/lib/index.js
-index b449877..b4c95ba 100644
---- a/lib/index.js
-+++ b/lib/index.js
-@@ -19,7 +19,10 @@ function JSZip() {
- // "folder/" : {...},
- // "folder/data.txt" : {...}
- // }
-- this.files = {};
-+ // NOTE: we use a null prototype because we do not
-+ // want filenames like "toString" coming from a zip file
-+ // to overwrite methods and attributes in a normal Object.
-+ this.files = Object.create(null);
-
- this.comment = null;
-
-diff --git a/lib/object.js b/lib/object.js
-index 1c9d8e8..aec3db7 100644
---- a/lib/object.js
-+++ b/lib/object.js
-@@ -179,16 +179,16 @@ var out = {
- */
- forEach: function(cb) {
- var filename, relativePath, file;
-+ /* jshint ignore:start */
-+ // ignore warning about unwanted properties because this.files is a null prototype object
- for (filename in this.files) {
-- if (!this.files.hasOwnProperty(filename)) {
-- continue;
-- }
- file = this.files[filename];
- relativePath = filename.slice(this.root.length, filename.length);
- if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root
- cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn...
- }
- }
-+ /* jshint ignore:end */
- },
-
- /**
@@ -1,3 +1,3 @@
# Locally computed:
-sha256 e5343decfb781b15c54c0df9ddedd6c8518c800a4667a0a95741c694a4f38d34 jszip-3.2.2.tar.gz
-sha256 14450c78405ad2a2173e25740b56406556779149df9c4c83523a8c63d0686210 LICENSE.markdown
+sha256 aa3033c6bb5357a0b0965c92fbdb6d6abe64676e70ffa7933b63c573ab79ee45 jszip-3.10.0.tar.gz
+sha256 566c953c6090b1218ca6217dd7359d45dde46581968586dc607d59a78af6a9c4 LICENSE.markdown
@@ -4,15 +4,12 @@
#
################################################################################
-JSZIP_VERSION = 3.2.2
+JSZIP_VERSION = 3.10.0
JSZIP_SITE = $(call github,Stuk,jszip,v$(JSZIP_VERSION))
JSZIP_LICENSE = MIT or GPL-3.0
JSZIP_LICENSE_FILES = LICENSE.markdown
JSZIP_CPE_ID_VENDOR = jszip_project
-# 0001-fix-Use-a-null-prototype-object-for-this-files.patch
-JSZIP_IGNORE_CVES += CVE-2021-23413
-
define JSZIP_INSTALL_TARGET_CMDS
$(INSTALL) -m 0644 -D $(@D)/dist/jszip.min.js \
$(TARGET_DIR)/var/www/jszip/js/jszip.min.js
- Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. - Drop patch (already in version) - Update hash of license file (dual licensing clarification with https://github.com/Stuk/jszip/commit/f81c2d700d8e5fec4ed89fb565e4a266bb4dd26e) - Update indentation in hash file (two spaces) https://github.com/Stuk/jszip/blob/v3.10.0/CHANGES.md Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- ...null-prototype-object-for-this-files.patch | 56 ------------------- package/jszip/jszip.hash | 4 +- package/jszip/jszip.mk | 5 +- 3 files changed, 3 insertions(+), 62 deletions(-) delete mode 100644 package/jszip/0001-fix-Use-a-null-prototype-object-for-this-files.patch