Upgrade file-type from 19.3.0 to >=21.3.1 (GHSA-5v7r-6r5c-r473)

[holdthez]

payload@3.80.0 pins file-type to 19.3.0, which is affected by GHSA-5v7r-6r5c-r473 — an infinite loop in the ASF parser triggered by malformed input with a zero-size sub-header.

The patched version is >=21.3.1. The latest stable is 22.0.0.

Impact

Any Payload project that accepts file uploads inherits this moderate-severity vulnerability as a transitive dependency. It shows up in npm audit / pnpm audit and cannot be resolved by consumers since Payload pins an exact version.

Affected files in Payload source

• getFileByPath.ts
• checkFileRestrictions.ts
• generateFileData.ts
• createImageSizes.ts
• getFile.ts

Notes

The jump from 19.x to 21.x crosses two major versions. The export map changed (added explicit types/import/module-sync conditional exports and a ./node subpath), so some import adjustments may be needed. The core API (fileTypeFromBuffer, fileTypeFromStream, etc.) appears to persist.

A pnpm/npm override is risky because Payload pins the exact version rather than a range, so consumers can't safely work around this on their end.

Would it be possible to upgrade file-type to >=21.3.1 in a future release?

[github-actions]

🚀 This is included in version v3.81.0

[github-actions]

This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.