Upgrade file-type from 19.3.0 to >=21.3.1 (GHSA-5v7r-6r5c-r473) #16072
Description
payload@3.80.0 pins file-type to 19.3.0, which is affected by GHSA-5v7r-6r5c-r473 — an infinite loop in the ASF parser triggered by malformed input with a zero-size sub-header.
The patched version is >=21.3.1. The latest stable is 22.0.0.
Impact
Any Payload project that accepts file uploads inherits this moderate-severity vulnerability as a transitive dependency. It shows up in npm audit / pnpm audit and cannot be resolved by consumers since Payload pins an exact version.
Affected files in Payload source
getFileByPath.tscheckFileRestrictions.tsgenerateFileData.tscreateImageSizes.tsgetFile.ts
Notes
The jump from 19.x to 21.x crosses two major versions. The export map changed (added explicit types/import/module-sync conditional exports and a ./node subpath), so some import adjustments may be needed. The core API (fileTypeFromBuffer, fileTypeFromStream, etc.) appears to persist.
A pnpm/npm override is risky because Payload pins the exact version rather than a range, so consumers can't safely work around this on their end.
Would it be possible to upgrade file-type to >=21.3.1 in a future release?