fix(deps): update dependency music-metadata to v11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
music-metadata	10.7.0 → 11.12.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-32256

Summary

music-metadata's ASF parser (parseExtensionObject() in lib/asf/AsfParser.ts:112-158) enters an infinite loop when a sub-object inside the ASF Header Extension Object has objectSize = 0.

Root Cause

When objectSize is 0:

1. remaining = 0 - 24 = -24
2. tokenizer.ignore(-24) moves the read position backward by 24 bytes
3. extensionSize -= 0 (loop counter never decreases)
4. while (extensionSize > 0) never exits
5. The same 24-byte header is re-read infinitely

This is the same pattern as CVE-2026-31808 (GHSA-5v7r-6r5c-r473) in file-type — strtok3's AbstractTokenizer.ignore() accepts negative values without validation.

Affected Methods

• parseFile() — HANGS (FileTokenizer inherits vulnerable ignore())
• parseBuffer() — HANGS (BufferTokenizer inherits vulnerable ignore())
• parseStream() — NOT affected (ReadStreamTokenizer has own ignore() that throws RangeError)

Impact

A 100-byte crafted .asf file permanently hangs any application using parseFile() or parseBuffer(). music-metadata has 2.2M weekly npm downloads.

Suggested Fix

Validate objectSize >= minimumHeaderSize before calculating the payload. Or fix strtok3's AbstractTokenizer.ignore() to reject negative values.

---

Release Notes

Borewit/music-metadata (music-metadata)

v11.12.3

Compare Source

Changes

🐛 Bug Fixes

• Fix TypeScript decleration inclusion @​Borewit (#​2608)

📦 NPM release

NPM release: music-metadata@11.12.3

v11.12.2

Compare Source

⚠️ This release is missing TypeScript declarations, use v11.12.3 instead.

Changes

• ⚠️ Fix CWE-85 by avoiding infinite loop in ASF @​Borewit (#​2605)

🐛 Bug Fixes

• Map .wma and .wmv. extension to AsfParser @​Borewit (#​2601)

⬆️ Dependencies

• Bump @​borewit/text-codec from 0.2.1 to 0.2.2 @​dependabot (#​2602)

📦 NPM release

NPM release: music-metadata@11.12.2

v11.12.1

Compare Source

Changes

🐛 Bug Fixes

• Fix miscalculation Ogg/Vorbis, duration miscalculation @​Borewit (#​2583)

📦 NPM release

NPM release: music-metadata@11.12.1

v11.12.0

Compare Source

Changes

🚀 Enhancements

• feat: Add support for multiple albumartists @​ma225tq (#​2577)

📦 NPM release

NPM release: music-metadata@11.12.0

v11.11.2

Compare Source

Changes

🎨 Improvements

• #​2574: add support for iTunes ID3v2.2 tag with the 'GP1' frame for 'grouping' @​glebrock (#​2575)

⬆️ Dependencies

• Bump win-guid from 0.2.0 to 0.2.1 @​dependabot (#​2573)
• Bump tar from 7.5.6 to 7.5.7 @​dependabot (#​2572)

📦 NPM release

NPM release: music-metadata@11.11.2

v11.11.1

Compare Source

Changes

🐛 Bug Fixes

• Fix(id3v2): prevent crash when no tag frames present @​Borewit (#​2569)

📦 NPM release

NPM release: music-metadata@11.11.1

v11.11.0

Compare Source

Changes

🚀 Enhancements

• Implement ID3v2 chapter support @​Borewit (#​2560)

⬆️ Dependencies

• Bump win-guid from 0.1.3 to 0.2.0 @​dependabot (#​2564)

📦 NPM release

NPM release: music-metadata@11.11.0

v11.10.6

Compare Source

Changes

🔧 Under the hood

• Depend on win-guid for Windows GUID conversion @​Borewit (#​2562)
• Fix small code smalls, update Biome to 2.3.11 @​Borewit (#​2559)

⬆️ Dependencies

• Bump file-type from 21.2.0 to 21.3.0 @​dependabot (#​2557)

📦 NPM release

NPM release: music-metadata@11.10.6

v11.10.5

Compare Source

Changes

🔧 Under the hood

• Improve mp3 code @​Borewit (#​2558)

📦 NPM release

NPM release: music-metadata@11.10.5

v11.10.4

Compare Source

Changes

⬆️ Dependencies

• Bump token-types from 6.1.1 to 6.1.2 @​dependabot (#​2554)
• Bump @​borewit/text-codec from 0.2.0 to 0.2.1 @​dependabot (#​2550), resolving #​2546
• Bump file-type from 21.1.1 to 21.2.0 @​dependabot (#​2549)

📦 NPM release

NPM release: music-metadata@11.10.4

v11.10.3

Compare Source

Changes

🔧 Under the hood

• Improve MP4 bitrate calculation @​Borewit (#​2541)

📦 NPM release

NPM release: music-metadata@11.10.3

v11.10.2

Compare Source

Changes

🐛 Bug Fixes

• Fix bitrate calculation over multiple mdat boxes @​Borewit (#​2536)

⬆️ Dependencies

• Bump glob from 10.4.5 to 10.5.0 @​dependabot (#​2539)
• Bump file-type from 21.1.0 to 21.1.1 @​dependabot (#​2540)

📦 NPM release

NPM release: music-metadata@11.10.2

v11.10.1

Compare Source

Changes

• Fix Ogg/Opus duration calculation. @​Borewit (#​2533)

⬆️ Dependencies

• Bump js-yaml from 4.1.0 to 4.1.1 @​dependabot (#​2532)
• Bump file-type from 21.0.0 to 21.1.0 @​dependabot (#​2528)

📦 NPM release

NPM release: music-metadata@11.10.1

v11.10.0

Compare Source

Changes

🚀 Enhancements

• Add support for vorbis unsynced lyrics @​gerald-lbn (#​2489)
• Add support Apple’s QuickTime File Format @​Borewit (#​2509)

📝 Documentation

• Document includeChapters option @​Borewit (#​2511)

📦 NPM release

NPM release: music-metadata@11.10.0

v11.9.0

Compare Source

Changes

🎨 Improvements

• Map Vorbis.ENCODER and Vorbis VORBIS_COMMENT vendor to common.tool @​Borewit (#​2502)

🐛 Bug Fixes

• Support variable length PCNT and POPM numeric values. @​Borewit (#​2505)

🔧 Under the hood

• Favor subarray over slice, reusing instead of copying data @​Borewit (#​2504)

⬆️ Dependencies

• Bump debug from 4.4.1 to 4.4.3 @​dependabot (#​2500)
• Bump uint8array-extras from 1.4.1 to 1.5.0 @​dependabot (#​2488)

📦 NPM release

NPM release: music-metadata@11.9.0

v11.8.3

Compare Source

Changes

🐛 Bug Fixes

• Fix missing uint8array-extras dependency @​Borewit (#​2484)

⬆️ Dependencies

• Bump @​borewit/text-codec from 0.1.0 to 0.2.0 @​dependabot (#​2480)
• Bump uint8array-extras from 1.4.0 to 1.4.1 @​dependabot (#​2476)

📦 NPM release

NPM release: music-metadata@11.8.3

v11.8.2

Compare Source

Changes

🔧 Under the hood

• Replace @kayahr/text-encoding with @borewit/text-codec @​Borewit (#​2478)

📦 NPM release

NPM release: music-metadata@11.8.2

v11.8.1

Compare Source

Changes

🔧 Under the hood

• Remove uint8array-extras dependency @​Borewit (#​2477)

📦 NPM release

NPM release: music-metadata@11.8.1

v11.8.0

Compare Source

Changes

🎨 Improvements

• Use @kayahr/text-encoding for decoding @​Borewit (#​2475)

📦 NPM release

NPM release: music-metadata@11.8.0

v11.7.3

Compare Source

v11.7.2

Compare Source

Changes

🔧 Under the hood

• Prevent including source map references in distribution @​Borewit (#​2468)

📦 NPM release

NPM release: music-metadata@11.7.2

v11.7.1

Compare Source

Changes

🐛 Bug Fixes

• Fix peek Ogg radio streams @​Borewit (#​2463)

📦 NPM release

NPM release: music-metadata@11.7.1

v11.7.0

Compare Source

Changes

🎨 Improvements

• Use strtok3.parseBlob() @​Borewit (#​2460)

⬆️ Dependencies

• Bump strtok3 from 10.3.1 to 10.3.2 @​dependabot (#​2458)

📦 NPM release

NPM release: music-metadata@11.7.0

v11.6.1

Compare Source

Changes

🔧 Under the hood

• Implement handling multiple Ogg sub streams @​Borewit (#​2453)

📦 NPM release

NPM release: music-metadata@11.6.0

v11.6.0

Compare Source

⚠️ Release out of sync with version, use v11.6.1 instead.

v11.5.0

Compare Source

Changes

🚀 Enhancements

• Indicate on every media file if it contains an audio and/or video stream @​Borewit (#​2452)

🔧 Under the hood

• Optimize efficiency ordering tags @​Borewit (#​2450)

⬆️ Dependencies

• Bump token-types from 6.0.1 to 6.0.3 @​dependabot (#​2451)
• Bump token-types from 6.0.0 to 6.0.1 @​dependabot (#​2446)

📦 NPM release

NPM release: music-metadata@11.5.0

v11.4.0

Compare Source

Changes

🎨 Improvements

• Add support for MP4 fragments @​Borewit (#​2444)

📦 NPM release

NPM release: music-metadata@11.4.0

v11.3.0

Compare Source

Changes

🎨 Improvements

• Add more timestamps format support for lrc @​wizcheu (#​2432)
• Be able to auto-detect MPEG frames, starting at slightly incorrect offset @​Borewit (#​2424)

⬆️ Dependencies

• Bump strtok3 from 10.3.0 to 10.3.1 @​dependabot (#​2429)
• Update dependency strtok3 v10.3.0 @​Borewit (#​2428)

📦 NPM release

NPM release: music-metadata@11.3.0

v11.2.3

Compare Source

Changes

• Fix repo URL in package.json: 0a4edcb

📦 NPM release

NPM release: music-metadata@11.2.3

v11.2.2

Compare Source

Changes

• Fix typo in docs @​charliethompson217 (#​2405)

🐛 Bug Fixes

• Add missing MIME-type video/matroska @​Borewit (#​2412)

⬆️ Dependencies

• Bump debug from 4.4.0 to 4.4.1 @​dependabot (#​2411)
• Bump file-type from 20.4.1 to 20.5.0 @​dependabot (#​2403)

📦 NPM release

NPM release: music-metadata@11.2.2

v11.2.1

Compare Source

Changes

🐛 Bug Fixes

• Remove unused dependency link @​Borewit (#​2398)

📝 Documentation

• Document node16 or nodenext to enable dynamic import @​Borewit (#​2400)

📦 NPM release

NPM release: music-metadata@11.2.1

v11.2.0

Compare Source

Changes

🚀 Enhancements

• Add chapter.start & chapter.timescale @​jigzahoy (#​731)

⬆️ Dependencies

• Bump file-type from 19.6.0 to 20.4.1 @​dependabot (#​2379)

📦 NPM release

NPM release: music-metadata@11.2.0

v11.1.1

Compare Source

Changes

🎨 Improvements

• Workaround for TypeScript, importing parseStream @​Borewit (#​2395)
• Export errors @​Borewit (#​2394)

📦 NPM release

NPM release: music-metadata@11.1.1

v11.1.0

Compare Source

Changes

🚀 Enhancements

• Move supported MIME-types declaration to parser implementations @​Borewit (#​2392)

📦 NPM release

NPM release: music-metadata@11.1.0

v11.0.5

Compare Source

Changes

• Fix repository URL e74d077

📦 NPM release

NPM release: music-metadata@11.0.5

v11.0.4

Compare Source

Changes

🎨 Improvements

• Improve error handling in case the file is not supported @​Borewit (#​2389)

📦 NPM release

NPM release: music-metadata@11.0.4

v11.0.3

Compare Source

Changes

🎨 Improvements

• feat: add sideEffects false to package.json @​minht11 (#​2385)

🔧 Under the hood

• chore: set default value for commonTags @​minht11 (#​2386)
• refactor: parser load fn returns class instead of instance @​minht11 (#​2384)
• refactor: enable erasableSyntaxOnly/remove enum usage @​minht11 (#​2383)

📦 NPM release

NPM release: music-metadata@11.0.3

v11.0.2

Compare Source

Changes

🎨 Improvements

• Workaround for TypeScript bundler node-resolution @​Borewit (#​2378)

📦 NPM release

NPM release: music-metadata@11.0.2

v11.0.1

Compare Source

Changes

⬆️ Dependencies

• Bump strtok3 from 10.2.1 to 10.2.2 @​dependabot (#​2377)

📝 Documentation

• Add FAQ: Using music-metadata with TypeScript and module-resolution set to bundler. @​Borewit (#​2375)

📦 NPM release

NPM release: music-metadata@11.0.1

v11.0.0

Compare Source

Changes

💥 API Changes

• Remove CommonJS entry point @​Borewit (#​2361)

📦 NPM release

NPM release: music-metadata@11.0.0

v10.9.1

Compare Source

Changes

🐛 Bug Fixes

• Fix bug in "module-sync" default entry point @​Borewit (#​2360)

🔧 Under the hood

• Simplify exports in package.json @​Borewit (#​2359)

📦 NPM release

NPM release: music-metadata@10.9.1

v10.9.0

Compare Source

Changes

🎨 Improvements

• Exports module-sync @​Borewit (#​2354)

📦 NPM release

NPM release: music-metadata@10.9.0

v10.8.3

Compare Source

Changes

⬆️ Dependencies

• Bump strtok3 from 10.2.0 to 10.2.1 @​dependabot (#​2353)

📦 NPM release

NPM release: music-metadata@10.8.3

v10.8.2

Compare Source

Changes

⬆️ Dependencies

• Update strtok3 to version 10.2.0. @​Borewit (#​2347)

📦 NPM release

NPM release: music-metadata@10.8.2

v10.8.1

Compare Source

Changes

⬆️ Dependencies

• Update strtok3 dependency to ^10.1.2 @​Borewit (#​2345)

📦 NPM release

NPM release: music-metadata@10.8.1

v10.8.0

Compare Source

Changes

🐛 Bug Fixes

• Fix tokenizer closure @​Borewit (#​2341)

⬆️ Dependencies

• Update to strtok3 to 10.1 using default Reader instead of BYOB @​Borewit (#​2329)

📦 NPM release

NPM release: music-metadata@10.8.0

v10.7.1

Compare Source

Changes

🐛 Bug Fixes

• Fix size in 'stst' box and handle sample description entry @​Borewit (#​2340)

NPM release

NPM release: music-metadata@10.7.1

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.