fix(deps): update dependency file-type to v21 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
file-type	^20.0.0 → ^21.0.0

GitHub Vulnerability Alerts

CVE-2026-31808

Impact

A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever.

Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.

Patches

Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

Workarounds

Validate or limit the size of input buffers before passing them to file-type, or run file type detection in a worker thread with a timeout.

References

• Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f

Reporter

crnkovic@lokvica.com

---

Release Notes

sindresorhus/file-type (file-type)

v21.3.1

Compare Source

• Fix infinite loop in ASF parser on malformed input 319abf8

---

v21.3.0

Compare Source

• Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#​779) d223491

---

v21.2.0

Compare Source

• Add support for SPSS data files (#​787) 889f638
• Add support for JMP (#​784) 093dba0

---

v21.1.1

Compare Source

• Fix handling of partial Gunzip file (#​783) 710e053

---

v21.1.0

Compare Source

• Add support for .tar.gz (gunzipped tarball file) (#​763) eda03a7
• Add support for Windows registry (.reg) files 0db61ec 7d2ddcf
• Add support for Windows registry hive file (.dat) (#​767) f8d62be
• Fix: Handle partial unzip (#​773) 7ad3a90

---

v21.0.0

Compare Source

Breaking

• Require Node.js 20 24aec1f
• Drop Adobe Illustrator (.ai) detection support (#​743) af169f3
• Correct Matroska (video) MIME-type to formal IANA registration (#​753) f53f5ff
• Correct FLAC MIME-type to formal IANA registration (#​755) b9fda36
• Correct Apache Parquet MIME-type to formal IANA registration (#​748) 98e3f8e
• Correct Apache Arrow MIME-type to formal IANA registration (#​754) 7184775

Improvements

• Allow options to be directly passed to exported functions (#​752) d264029
• Add mpegOffsetTolerance option (#​646) c40840a

Fixes

• Fix detection of some PAX TAR formats (#​762) 574d0d6

---

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying graph-tooling with    Cloudflare Pages

Latest commit:	3baddad
Status:	✅  Deploy successful!
Preview URL:	https://fd7ba3ba.graph-tooling.pages.dev
Branch Preview URL:	https://renovate-npm-file-type-vulne.graph-tooling.pages.dev

View logs

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3baddad

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR