chore(deps): update dependency file-type to v21.3.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
file-type	21.3.0 → 21.3.1

GitHub Vulnerability Alerts

CVE-2026-31808

Impact

A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever.

Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.

Patches

Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.

Workarounds

Validate or limit the size of input buffers before passing them to file-type, or run file type detection in a worker thread with a timeout.

References

• Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f

Reporter

crnkovic@lokvica.com

---

Release Notes

sindresorhus/file-type (file-type)

v21.3.1

Compare Source

• Fix infinite loop in ASF parser on malformed input 319abf8

---

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.