decompress-secure
v4.3.0
Published
CommonJS drop-in replacement for the unmaintained decompress package, delegating to @xhmikosr/decompress (patched for CVE-2026-53486 / GHSA-mp2f-45pm-3cg9)
Maintainers
Readme
decompress-secure
CommonJS drop-in replacement for the unmaintained decompress package (all versions ≤ 4.2.1 are vulnerable to CVE-2026-53486 / GHSA-mp2f-45pm-3cg9 — archive extraction path traversal).
The advisory's remediation, @xhmikosr/decompress, is ESM-only. That crashes CommonJS consumers that require('decompress') at module load time (e.g. @cubejs-backend/shared) on Node runtimes without require(esm) support:
Error [ERR_REQUIRE_ESM]: require() of ES Module .../decompress/index.js ... not supported.This package keeps the entry point CommonJS and lazily loads the patched ESM fork via dynamic import() on first call. Same API contract: decompress(input, output?, options?) => Promise<File[]>.
Usage (npm overrides / yarn resolutions)
"overrides": {
"decompress": "npm:decompress-secure@^4.3.0"
},
"resolutions": {
"decompress": "npm:decompress-secure@^4.3.0"
}Versioned 4.3.0 to signal it is a drop-in for the decompress@^4.2.1 line.
