Replace deprecated unzipper with jszip

[johannesrue]

Unzipper uses deprecated module fstream (https://www.npmjs.com/package/fstream ZJONSSON/node-unzipper#261), therefore we should replace it with jszip.

I will create a pull request to fix this deprecated dependency.

[christian-bromann]

Unzipper uses deprecated module fstream

What is the impact for users here?

I am hesitating a bit to switch to jszip as it hasn't seen any contributions for 2 years while unzipper still seems to be actively maintained.

[johannesrue]

What is the impact for users here?

There are already several documented vulnerabilities in the transitive dependencies of fstream: ZJONSSON/node-unzipper#261

The fstream package is officially marked as deprecated, so there is no maintenance ongoing anymore.

We use npm audit in our deployment process, so that's why we came across this. Another way would be to replace fstream with something else in unzipper, but it seemed easier to me to use another zip tool in the first place.

Actually you're right, jszip is probably not maintained much better. At least there are no known CVE or deprecations in its current dependency tree.

Do you have another suggestion how to deal with the deprecation of fstream?

[johannesrue]

https://gildas-lormeau.github.io/zip.js/ might be a good option. I could provide another MR using that too.

[johannesrue]

Another option using a C library compiled to wasm: https://github.com/nika-begiashvili/libarchivejs/tree/master

[christian-bromann]

gildas-lormeau.github.io/zip.js might be a good option. I could provide another MR using that too.

I think this is a great option. Can we migrate to this package?

[johannesrue]

gildas-lormeau.github.io/zip.js might be a good option. I could provide another MR using that too.

I think this is a great option. Can we migrate to this package?

Yes, i will do that in the next few days.

[christian-bromann]

Thanks @johannesrue for taking a stab at this.