chore(deps): update dependency yauzl to v3.2.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
yauzl	3.2.0 → 3.2.1

GitHub Vulnerability Alerts

CVE-2026-31988

yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.

---

Release Notes

thejoshwolfe/yauzl (yauzl)

v3.2.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[github-actions]

Test report for task-herder

28 tests  ±0   28 ✅ ±0   0s ⏱️ ±0s
 7 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 208ebbd. ± Comparison against base commit b1b3eae.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-svg-renderer

  1 files  ±0   60 suites  ±0   0s ⏱️ ±0s
124 tests ±0  124 ✅ ±0  0 💤 ±0  0 ❌ ±0 
276 runs  ±0  275 ✅ ±0  1 💤 ±0  0 ❌ ±0 

Results for commit 208ebbd. ± Comparison against base commit b1b3eae.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-render

  1 files  ±0   55 suites  ±0   2s ⏱️ ±0s
209 tests ±0  209 ✅ ±0  0 💤 ±0  0 ❌ ±0 
279 runs  ±0  279 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 208ebbd. ± Comparison against base commit b1b3eae.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-gui

  2 files  ±0   62 suites  ±0   9m 41s ⏱️ -37s
397 tests ±0  389 ✅ ±0  8 💤 ±0  0 ❌ ±0 
415 runs  ±0  407 ✅ ±0  8 💤 ±0  0 ❌ ±0 

Results for commit 208ebbd. ± Comparison against base commit b1b3eae.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-vm

    1 files  ±0    768 suites  ±0   1m 42s ⏱️ -2s
1 682 tests ±0  1 682 ✅ ±0   0 💤 ±0  0 ❌ ±0 
4 866 runs  ±0  4 836 ✅ ±0  30 💤 ±0  0 ❌ ±0 

Results for commit 208ebbd. ± Comparison against base commit b1b3eae.

♻️ This comment has been updated with latest results.