file-type 21.3.0 → 21.3.2

package/index.js

@@ -5,13 +5,37 @@ Node.js specific entry point.
 import {ReadableStream as WebReadableStream} from 'node:stream/web';
 import {pipeline, PassThrough, Readable} from 'node:stream';
 import * as strtok3 from 'strtok3';
-import {FileTypeParser as DefaultFileTypeParser, reasonableDetectionSizeInBytes} from './core.js';
+import {
+	FileTypeParser as DefaultFileTypeParser,
+	reasonableDetectionSizeInBytes,
+	normalizeSampleSize,
+} from './core.js';
+
+function isTokenizerStreamBoundsError(error) {
+	if (
+		!(error instanceof RangeError)
+		|| error.message !== 'offset is out of bounds'
+		|| typeof error.stack !== 'string'
+	) {
+		return false;
+	}
+
+	// Some malformed or non-byte Node.js streams can surface this tokenizer-internal range error.
+	// Note: This stack-trace check is fragile and may break if strtok3 restructures its internals.
+	return /strtok3[/\\]lib[/\\]stream[/\\]/.test(error.stack);
+}
 
 export class FileTypeParser extends DefaultFileTypeParser {
 	async fromStream(stream) {
-		const tokenizer = await (stream instanceof WebReadableStream ? strtok3.fromWebStream(stream, this.tokenizerOptions) : strtok3.fromStream(stream, this.tokenizerOptions));
+		const tokenizer = await (stream instanceof WebReadableStream ? strtok3.fromWebStream(stream, this.getTokenizerOptions()) : strtok3.fromStream(stream, this.getTokenizerOptions()));
 		try {
 			return await super.fromTokenizer(tokenizer);
+		} catch (error) {
+			if (isTokenizerStreamBoundsError(error)) {
+				return;
+			}
+
+			throw error;
 		} finally {
 			await tokenizer.close();
 		}
@@ -31,7 +55,7 @@ export class FileTypeParser extends DefaultFileTypeParser {
 			return super.toDetectionStream(readableStream, options);
 		}
 
-		const {sampleSize = reasonableDetectionSizeInBytes} = options;
+		const sampleSize = normalizeSampleSize(options.sampleSize ?? reasonableDetectionSizeInBytes);
 
 		return new Promise((resolve, reject) => {
 			readableStream.on('error', reject);

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "file-type",
-	"version": "21.3.0",
+	"version": "21.3.2",
 	"description": "Detect the file type of a file, stream, or data",
 	"license": "MIT",
 	"repository": "sindresorhus/file-type",
@@ -258,12 +258,12 @@
 	},
 	"devDependencies": {
 		"@tokenizer/token": "^0.3.0",
-		"@types/node": "^22.15.21",
-		"ava": "^6.3.0",
+		"@types/node": "^25.3.3",
+		"ava": "^7.0.0",
 		"commonmark": "^0.31.2",
 		"get-stream": "^9.0.1",
 		"noop-stream": "^1.0.0",
-		"tsd": "^0.32.0",
+		"tsd": "^0.33.0",
 		"xo": "^0.60.0"
 	},
 	"xo": {

package/readme.md

@@ -16,11 +16,12 @@ We accept contributions for commonly used modern file formats, not historical or
 npm install file-type
 ```
 
-**This package is an ESM package. Your project needs to be ESM too. [Read more](https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c). For TypeScript + CommonJS, see [`load-esm`](https://github.com/Borewit/load-esm).**
+**This package is an ESM package. Your project needs to be ESM too. [Read more](https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c). For TypeScript + CommonJS, see [`load-esm`](https://github.com/Borewit/load-esm).** If you use it with Webpack, you need the latest Webpack version and ensure you configure it correctly for ESM.
 
-If you use it with Webpack, you need the latest Webpack version and ensure you configure it correctly for ESM.
-
-File type detection is based on binary signatures (magic numbers) and should be treated as a best-effort hint, not a guarantee.
+> [!IMPORTANT]
+> File type detection is based on binary signatures (magic numbers) and is a best-effort hint. It does not guarantee the file is actually of that type or that the file is valid/not malformed.
+>
+> Robustness against malformed input is best-effort. When processing untrusted files on a server, enforce a reasonable file size limit and use a worker thread with a timeout (e.g., [`make-asynchronous`](https://github.com/sindresorhus/make-asynchronous)). These are not considered security issues in this package.
 
 ## Usage
 
@@ -380,6 +381,7 @@ console.log(fileType);
 ### Available third-party file-type detectors
 
 - [@file-type/av](https://github.com/Borewit/file-type-av): Improves detection of audio and video file formats, with accurate differentiation between the two
+- [@file-type/cfbf](https://github.com/Borewit/file-type-cfbf): Detects Compound File Binary Format (CFBF) based formats, such as Office 97–2003 documents and `.msi`.
 - [@file-type/pdf](https://github.com/Borewit/file-type-pdf): Detects PDF based file types, such as Adobe Illustrator
 - [@file-type/xml](https://github.com/Borewit/file-type-xml): Detects common XML file types, such as GLM, KML, MusicXML, RSS, SVG, and XHTML
 
@@ -628,14 +630,14 @@ abortController.abort(); // Abort file-type reading from the Blob stream.
 
 *[Pull requests](.github/pull_request_template.md) are welcome for additional commonly used file types.*
 
-The following file types will not be accepted:
-- [MS-CFB: Microsoft Compound File Binary File Format based formats](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/53989ce4-7b05-4f8d-829b-d08d6148375b), too old and difficult to parse:
+The following file types will not be accepted, but most of them are supported by [third-party detector](#available-third-party-file-type-detectors)
+- [MS-CFB: Microsoft Compound File Binary File Format based formats](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/53989ce4-7b05-4f8d-829b-d08d6148375b)
 	- `.doc` - Microsoft Word 97-2003 Document
 	- `.xls` - Microsoft Excel 97-2003 Document
 	- `.ppt` - Microsoft PowerPoint97-2003 Document
 	- `.msi` - Microsoft Windows Installer
 - `.csv` - [Reason.](https://github.com/sindresorhus/file-type/issues/264#issuecomment-568439196)
-- `.svg` - Supported by [third-party detector](#available-third-party-file-type-detectors).
+- `.svg`
 
 #### tokenizer