Full Changelog: v0.5.18...v0.6.0
This release fixes a security vulnerability (CVE-2026-39244), resolves several long-standing bugs, ships built-in TypeScript types, and includes two behavior changes worth reading before you upgrade.
- extractEntryTo(dirEntry, target, maintainEntryPath = false) now preserves subdirectories instead of flattening files into the target folder by basename (which also silently overwrote same-named files). (#306)
- Extraction no longer fails when the modification time can't be set — utimes is now best-effort. (#379)
- Minimum Node.js is now 14 (the code already required it; engines was incorrectly >=12).
- CVE-2026-39244 — a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc and OOM the process; allocation is now bounded by the data actually present. Reported by Daniel Púa (devploit), Anh Hong, and José Antonio Zamudio Amaya. (#568)
- Hardened entry-name lookup against object injection (proto names). Prototype-less table.
- Data-descriptor regression rejecting valid archives (#548, #533, #554)
- Directory permissions not restored on extract (#530)
- Infinite recursion on symlink loops in addLocalFolder (#541)
- Uncaught process crash in writeFileToAsync on write failure (#470, #459, #402)
- Empty name on directory entries (#466)
- test() always returned false for archives with files
- ~6× faster entry sorting for large archives
- Built-in TypeScript definitions (types.d.ts) — you can drop @types/adm-zip