exarch-rs 0.2.8 → 0.2.9

package/README.md

@@ -8,7 +8,7 @@
 
 Memory-safe archive extraction and creation library for Node.js.
 
-> **Important:** exarch is designed as a secure replacement for vulnerable archive libraries like `tar-fs`, which has known CVEs with CVSS scores up to 9.4.
+**Important:** exarch is designed as a secure replacement for vulnerable archive libraries like `tar-fs`, which has known CVEs with CVSS scores up to 9.4.
 
 This package provides Node.js bindings for [exarch-core](../exarch-core), a Rust library with built-in protection against common archive vulnerabilities.
 
@@ -28,7 +28,7 @@ pnpm add exarch-rs
 bun add exarch-rs
 ```
 
-> **Note:** This package includes TypeScript definitions. No need for separate `@types` package.
+**Note:** This package includes TypeScript definitions. No need for a separate `@types` package.
 
 ## Requirements
 
@@ -79,7 +79,7 @@ const result = extractArchiveSync('archive.tar.gz', '/output/path');
 console.log(`Extracted ${result.filesExtracted} files`);
 ```
 
-> **Tip:** Prefer the async API to avoid blocking the event loop during extraction.
+**Tip:** Prefer the async API to avoid blocking the event loop during extraction.
 
 ### ES Modules
 
@@ -151,9 +151,13 @@ Synchronous version. Blocks the event loop until extraction completes.
 
 ```typescript
 interface ExtractionReport {
-  filesExtracted: number;  // Number of files extracted
-  bytesWritten: number;    // Total bytes written
-  durationMs: number;      // Extraction duration in milliseconds
+  filesExtracted: number;     // Number of files extracted
+  directoriesCreated: number; // Number of directories created
+  symlinksCreated: number;    // Number of symlinks created
+  bytesWritten: number;       // Total bytes written
+  durationMs: number;         // Extraction duration in milliseconds
+  filesSkipped: number;       // Files skipped (e.g. duplicates)
+  warnings: string[];         // Warning messages from extraction
 }
 ```
 
@@ -163,10 +167,11 @@ Builder-style security configuration.
 
 ```typescript
 const config = new SecurityConfig()
-  .maxFileSize(bytes)       // Max size per file
-  .maxTotalSize(bytes)      // Max total extraction size
-  .maxFileCount(count)      // Max number of files
-  .maxCompressionRatio(n);  // Max compression ratio (zip bomb detection)
+  .maxFileSize(bytes)              // Max size per file
+  .maxTotalSize(bytes)             // Max total extraction size
+  .maxFileCount(count)             // Max number of files
+  .maxCompressionRatio(n)          // Max compression ratio (zip bomb detection)
+  .setAllowSolidArchives(true);    // Allow solid 7z archives (default: false)
 ```
 
 ## Security Features
@@ -182,21 +187,21 @@ The library provides built-in protection against:
 | Permission sanitization | Strips setuid/setgid bits |
 | Size limits | Enforces file and total size limits |
 
-> **Caution:** Unlike many Node.js archive libraries, exarch applies security validation by default.
+**Caution:** Unlike many Node.js archive libraries, exarch applies security validation by default.
 
 ## Supported Formats
 
-| Format | Extensions | Extract | Create |
-|--------|------------|:-------:|:------:|
-| TAR | `.tar` | ✅ | ✅ |
-| TAR+GZIP | `.tar.gz`, `.tgz` | ✅ | ✅ |
-| TAR+BZIP2 | `.tar.bz2`, `.tbz2` | ✅ | ✅ |
-| TAR+XZ | `.tar.xz`, `.txz` | ✅ | ✅ |
-| TAR+ZSTD | `.tar.zst`, `.tzst` | ✅ | ✅ |
-| ZIP | `.zip` | ✅ | ✅ |
-| 7z | `.7z` | ✅ | — |
-
-> **Note:** 7z creation is not yet supported. Solid and encrypted 7z archives are rejected for security reasons.
+| Format | Extensions | Extract | Create | List | Verify |
+|--------|------------|:-------:|:------:|:----:|:------:|
+| TAR | `.tar` | ✅ | ✅ | ✅ | ✅ |
+| TAR+GZIP | `.tar.gz`, `.tgz` | ✅ | ✅ | ✅ | ✅ |
+| TAR+BZIP2 | `.tar.bz2`, `.tbz2` | ✅ | ✅ | ✅ | ✅ |
+| TAR+XZ | `.tar.xz`, `.txz` | ✅ | ✅ | ✅ | ✅ |
+| TAR+ZSTD | `.tar.zst`, `.tzst` | ✅ | ✅ | ✅ | ✅ |
+| ZIP | `.zip` | ✅ | ✅ | ✅ | ✅ |
+| 7z | `.7z` | ✅ | — | ✅ | ✅ |
+
+**Note:** 7z creation is not yet supported. Solid and encrypted 7z archives are rejected for security reasons. Unix symlinks inside 7z archives are reported as regular files (sevenz-rust2 API limitation).
 
 ## Comparison with tar-fs
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "exarch-rs",
-  "version": "0.2.8",
+  "version": "0.2.9",
   "description": "Memory-safe archive extraction library with built-in security validation",
   "main": "index.js",
   "types": "index.d.ts",

package/src/config.rs

@@ -160,6 +160,17 @@ impl SecurityConfig {
         self
     }
 
+    /// Allows or denies solid 7z archives.
+    ///
+    /// Solid archives require reading all preceding entries to decompress any
+    /// entry, which may allow a crafted archive to consume excessive
+    /// memory. Disabled by default.
+    #[napi(js_name = "setAllowSolidArchives")]
+    pub fn set_allow_solid_archives(&mut self, allow: Option<bool>) -> &Self {
+        self.inner.allow_solid_archives = allow.unwrap_or(true);
+        self
+    }
+
     /// Sets whether to preserve permissions from archive.
     #[napi(js_name = "setPreservePermissions")]
     pub fn set_preserve_permissions(&mut self, preserve: Option<bool>) -> &Self {