file-type 21.3.2 → 21.3.4

package/core.js

@@ -20,18 +20,23 @@ const maximumZipEntrySizeInBytes = 1024 * 1024;
 const maximumZipEntryCount = 1024;
 const maximumZipBufferedReadSizeInBytes = (2 ** 31) - 1;
 const maximumUntrustedSkipSizeInBytes = 16 * 1024 * 1024;
+const maximumUnknownSizePayloadProbeSizeInBytes = maximumZipEntrySizeInBytes;
 const maximumZipTextEntrySizeInBytes = maximumZipEntrySizeInBytes;
 const maximumNestedGzipDetectionSizeInBytes = maximumUntrustedSkipSizeInBytes;
 const maximumNestedGzipProbeDepth = 1;
+const unknownSizeGzipProbeTimeoutInMilliseconds = 100;
 const maximumId3HeaderSizeInBytes = maximumUntrustedSkipSizeInBytes;
 const maximumEbmlDocumentTypeSizeInBytes = 64;
-const maximumEbmlElementPayloadSizeInBytes = maximumUntrustedSkipSizeInBytes;
+const maximumEbmlElementPayloadSizeInBytes = maximumUnknownSizePayloadProbeSizeInBytes;
 const maximumEbmlElementCount = 256;
 const maximumPngChunkCount = 512;
+const maximumPngStreamScanBudgetInBytes = maximumUntrustedSkipSizeInBytes;
 const maximumAsfHeaderObjectCount = 512;
 const maximumTiffTagCount = 512;
 const maximumDetectionReentryCount = 256;
-const maximumPngChunkSizeInBytes = maximumUntrustedSkipSizeInBytes;
+const maximumPngChunkSizeInBytes = maximumUnknownSizePayloadProbeSizeInBytes;
+const maximumAsfHeaderPayloadSizeInBytes = maximumUnknownSizePayloadProbeSizeInBytes;
+const maximumTiffStreamIfdOffsetInBytes = maximumUnknownSizePayloadProbeSizeInBytes;
 const maximumTiffIfdOffsetInBytes = maximumUntrustedSkipSizeInBytes;
 const recoverableZipErrorMessages = new Set([
 	'Unexpected signature',
@@ -43,6 +48,7 @@ const recoverableZipErrorMessagePrefixes = [
 	'Unsupported ZIP compression method:',
 	'ZIP entry compressed data exceeds ',
 	'ZIP entry decompressed data exceeds ',
+	'Expected data-descriptor-signature at position ',
 ];
 const recoverableZipErrorCodes = new Set([
 	'Z_BUF_ERROR',
@@ -52,6 +58,27 @@ const recoverableZipErrorCodes = new Set([
 
 class ParserHardLimitError extends Error {}
 
+function patchWebByobTokenizerClose(tokenizer) {
+	const streamReader = tokenizer?.streamReader;
+	if (streamReader?.constructor?.name !== 'WebStreamByobReader') {
+		return tokenizer;
+	}
+
+	const {reader} = streamReader;
+	const cancelAndRelease = async () => {
+		await reader.cancel();
+		reader.releaseLock();
+	};
+
+	streamReader.close = cancelAndRelease;
+	streamReader.abort = async () => {
+		streamReader.interrupted = true;
+		await cancelAndRelease();
+	};
+
+	return tokenizer;
+}
+
 function getSafeBound(value, maximum, reason) {
 	if (
 		!Number.isFinite(value)
@@ -141,6 +168,10 @@ function findZipDataDescriptorOffset(buffer, bytesConsumed) {
 	return -1;
 }
 
+function isPngAncillaryChunk(type) {
+	return (type.codePointAt(0) & 0x20) !== 0;
+}
+
 function mergeByteChunks(chunks, totalLength) {
 	const merged = new Uint8Array(totalLength);
 	let offset = 0;
@@ -193,6 +224,10 @@ async function readZipDataDescriptorEntryWithLimit(zipHandler, {shouldBuffer, ma
 		}
 	}
 
+	if (!hasUnknownFileSize(zipHandler.tokenizer)) {
+		zipHandler.knownSizeDescriptorScannedBytes += bytesConsumed;
+	}
+
 	if (!shouldBuffer) {
 		return;
 	}
@@ -200,16 +235,30 @@ async function readZipDataDescriptorEntryWithLimit(zipHandler, {shouldBuffer, ma
 	return mergeByteChunks(chunks, bytesConsumed);
 }
 
-async function readZipEntryData(zipHandler, zipHeader, {shouldBuffer} = {}) {
+function getRemainingZipScanBudget(zipHandler, startOffset) {
+	if (hasUnknownFileSize(zipHandler.tokenizer)) {
+		return Math.max(0, maximumUntrustedSkipSizeInBytes - (zipHandler.tokenizer.position - startOffset));
+	}
+
+	return Math.max(0, maximumZipEntrySizeInBytes - zipHandler.knownSizeDescriptorScannedBytes);
+}
+
+async function readZipEntryData(zipHandler, zipHeader, {shouldBuffer, maximumDescriptorLength = maximumZipEntrySizeInBytes} = {}) {
 	if (
 		zipHeader.dataDescriptor
 		&& zipHeader.compressedSize === 0
 	) {
-		return readZipDataDescriptorEntryWithLimit(zipHandler, {shouldBuffer});
+		return readZipDataDescriptorEntryWithLimit(zipHandler, {
+			shouldBuffer,
+			maximumLength: maximumDescriptorLength,
+		});
 	}
 
 	if (!shouldBuffer) {
-		await zipHandler.tokenizer.ignore(zipHeader.compressedSize);
+		await safeIgnore(zipHandler.tokenizer, zipHeader.compressedSize, {
+			maximumLength: hasUnknownFileSize(zipHandler.tokenizer) ? maximumZipEntrySizeInBytes : zipHandler.tokenizer.fileInfo.size,
+			reason: 'ZIP entry compressed data',
+		});
 		return;
 	}
 
@@ -244,7 +293,13 @@ ZipHandler.prototype.inflate = async function (zipHeader, fileData, callback) {
 ZipHandler.prototype.unzip = async function (fileCallback) {
 	let stop = false;
 	let zipEntryCount = 0;
+	const zipScanStart = this.tokenizer.position;
+	this.knownSizeDescriptorScannedBytes = 0;
 	do {
+		if (hasExceededUnknownSizeScanBudget(this.tokenizer, zipScanStart, maximumUntrustedSkipSizeInBytes)) {
+			throw new ParserHardLimitError(`ZIP stream probing exceeds ${maximumUntrustedSkipSizeInBytes} bytes`);
+		}
+
 		const zipHeader = await this.readLocalFileHeader();
 		if (!zipHeader) {
 			break;
@@ -260,6 +315,7 @@ ZipHandler.prototype.unzip = async function (fileCallback) {
 		await this.tokenizer.ignore(zipHeader.extraFieldLength);
 		const fileData = await readZipEntryData(this, zipHeader, {
 			shouldBuffer: Boolean(next.handler),
+			maximumDescriptorLength: Math.min(maximumZipEntrySizeInBytes, getRemainingZipScanBudget(this, zipScanStart)),
 		});
 
 		if (next.handler) {
@@ -273,6 +329,10 @@ ZipHandler.prototype.unzip = async function (fileCallback) {
 				throw new Error(`Expected data-descriptor-signature at position ${this.tokenizer.position - dataDescriptor.length}`);
 			}
 		}
+
+		if (hasExceededUnknownSizeScanBudget(this.tokenizer, zipScanStart, maximumUntrustedSkipSizeInBytes)) {
+			throw new ParserHardLimitError(`ZIP stream probing exceeds ${maximumUntrustedSkipSizeInBytes} bytes`);
+		}
 	} while (!stop);
 };
 
@@ -496,7 +556,8 @@ function _check(buffer, headers, options) {
 }
 
 export function normalizeSampleSize(sampleSize) {
-	// Accept odd caller input, but preserve valid caller-requested probe depth.
+	// `sampleSize` is an explicit caller-controlled tuning knob, not untrusted file input.
+	// Preserve valid caller-requested probe depth here; applications must bound attacker-derived option values themselves.
 	if (!Number.isFinite(sampleSize)) {
 		return reasonableDetectionSizeInBytes;
 	}
@@ -504,6 +565,45 @@ export function normalizeSampleSize(sampleSize) {
 	return Math.max(1, Math.trunc(sampleSize));
 }
 
+function readByobReaderWithSignal(reader, buffer, signal) {
+	if (signal === undefined) {
+		return reader.read(buffer);
+	}
+
+	signal.throwIfAborted();
+
+	return new Promise((resolve, reject) => {
+		const cleanup = () => {
+			signal.removeEventListener('abort', onAbort);
+		};
+
+		const onAbort = () => {
+			const abortReason = signal.reason;
+			cleanup();
+
+			(async () => {
+				try {
+					await reader.cancel(abortReason);
+				} catch {}
+			})();
+
+			reject(abortReason);
+		};
+
+		signal.addEventListener('abort', onAbort, {once: true});
+		(async () => {
+			try {
+				const result = await reader.read(buffer);
+				cleanup();
+				resolve(result);
+			} catch (error) {
+				cleanup();
+				reject(error);
+			}
+		})();
+	});
+}
+
 function normalizeMpegOffsetTolerance(mpegOffsetTolerance) {
 	// This value controls scan depth and therefore worst-case CPU work.
 	if (!Number.isFinite(mpegOffsetTolerance)) {
@@ -715,7 +815,11 @@ export class FileTypeParser {
 		};
 	}
 
-	async fromTokenizer(tokenizer, detectionReentryCount = 0) {
+	createTokenizerFromWebStream(stream) {
+		return patchWebByobTokenizerClose(strtok3.fromWebStream(stream, this.getTokenizerOptions()));
+	}
+
+	async parseTokenizer(tokenizer, detectionReentryCount = 0) {
 		this.detectionReentryCount = detectionReentryCount;
 		const initialPosition = tokenizer.position;
 		// Iterate through all file-type detectors
@@ -745,6 +849,14 @@ export class FileTypeParser {
 		}
 	}
 
+	async fromTokenizer(tokenizer) {
+		try {
+			return await this.parseTokenizer(tokenizer);
+		} finally {
+			await tokenizer.close();
+		}
+	}
+
 	async fromBuffer(input) {
 		if (!(input instanceof Uint8Array || input instanceof ArrayBuffer)) {
 			throw new TypeError(`Expected the \`input\` argument to be of type \`Uint8Array\` or \`ArrayBuffer\`, got \`${typeof input}\``);
@@ -760,21 +872,15 @@ export class FileTypeParser {
 	}
 
 	async fromBlob(blob) {
+		this.options.signal?.throwIfAborted();
 		const tokenizer = strtok3.fromBlob(blob, this.getTokenizerOptions());
-		try {
-			return await this.fromTokenizer(tokenizer);
-		} finally {
-			await tokenizer.close();
-		}
+		return this.fromTokenizer(tokenizer);
 	}
 
 	async fromStream(stream) {
-		const tokenizer = strtok3.fromWebStream(stream, this.getTokenizerOptions());
-		try {
-			return await this.fromTokenizer(tokenizer);
-		} finally {
-			await tokenizer.close();
-		}
+		this.options.signal?.throwIfAborted();
+		const tokenizer = this.createTokenizerFromWebStream(stream);
+		return this.fromTokenizer(tokenizer);
 	}
 
 	async toDetectionStream(stream, options) {
@@ -785,7 +891,7 @@ export class FileTypeParser {
 		const reader = stream.getReader({mode: 'byob'});
 		try {
 			// Read the first chunk from the stream
-			const {value: chunk, done} = await reader.read(new Uint8Array(sampleSize));
+			const {value: chunk, done} = await readByobReaderWithSignal(reader, new Uint8Array(sampleSize), this.options.signal);
 			firstChunk = chunk;
 			if (!done && chunk) {
 				try {
@@ -822,6 +928,71 @@ export class FileTypeParser {
 		return newStream;
 	}
 
+	async detectGzip(tokenizer) {
+		if (this.gzipProbeDepth >= maximumNestedGzipProbeDepth) {
+			return {
+				ext: 'gz',
+				mime: 'application/gzip',
+			};
+		}
+
+		const gzipHandler = new GzipHandler(tokenizer);
+		const limitedInflatedStream = createByteLimitedReadableStream(gzipHandler.inflate(), maximumNestedGzipDetectionSizeInBytes);
+		const hasUnknownSize = hasUnknownFileSize(tokenizer);
+		let timeout;
+		let probeSignal;
+		let probeParser;
+		let compressedFileType;
+
+		if (hasUnknownSize) {
+			const timeoutController = new AbortController();
+			timeout = setTimeout(() => {
+				timeoutController.abort(new DOMException(`Operation timed out after ${unknownSizeGzipProbeTimeoutInMilliseconds} ms`, 'TimeoutError'));
+			}, unknownSizeGzipProbeTimeoutInMilliseconds);
+			probeSignal = this.options.signal === undefined
+				? timeoutController.signal
+				// eslint-disable-next-line n/no-unsupported-features/node-builtins
+				: AbortSignal.any([this.options.signal, timeoutController.signal]);
+			probeParser = new FileTypeParser({
+				...this.options,
+				signal: probeSignal,
+			});
+			probeParser.gzipProbeDepth = this.gzipProbeDepth + 1;
+		} else {
+			this.gzipProbeDepth++;
+		}
+
+		try {
+			compressedFileType = await (probeParser ?? this).fromStream(limitedInflatedStream);
+		} catch (error) {
+			if (
+				error?.name === 'AbortError'
+				&& probeSignal?.reason?.name !== 'TimeoutError'
+			) {
+				throw error;
+			}
+
+			// Timeout, decompression, or inner-detection failures are expected for non-tar gzip files.
+		} finally {
+			clearTimeout(timeout);
+			if (!hasUnknownSize) {
+				this.gzipProbeDepth--;
+			}
+		}
+
+		if (compressedFileType?.ext === 'tar') {
+			return {
+				ext: 'tar.gz',
+				mime: 'application/gzip',
+			};
+		}
+
+		return {
+			ext: 'gz',
+			mime: 'application/gzip',
+		};
+	}
+
 	check(header, options) {
 		return _check(this.buffer, header, options);
 	}
@@ -841,6 +1012,13 @@ export class FileTypeParser {
 
 		this.tokenizer = tokenizer;
 
+		if (hasUnknownFileSize(tokenizer)) {
+			await tokenizer.peekBuffer(this.buffer, {length: 3, mayBeLess: true});
+			if (this.check([0x1F, 0x8B, 0x8])) {
+				return this.detectGzip(tokenizer);
+			}
+		}
+
 		await tokenizer.peekBuffer(this.buffer, {length: 32, mayBeLess: true});
 
 		// -- 2-byte signatures --
@@ -944,41 +1122,7 @@ export class FileTypeParser {
 		}
 
 		if (this.check([0x1F, 0x8B, 0x8])) {
-			if (this.gzipProbeDepth >= maximumNestedGzipProbeDepth) {
-				return {
-					ext: 'gz',
-					mime: 'application/gzip',
-				};
-			}
-
-			const gzipHandler = new GzipHandler(tokenizer);
-			const limitedInflatedStream = createByteLimitedReadableStream(gzipHandler.inflate(), maximumNestedGzipDetectionSizeInBytes);
-			let compressedFileType;
-			try {
-				this.gzipProbeDepth++;
-				compressedFileType = await this.fromStream(limitedInflatedStream);
-			} catch (error) {
-				if (error?.name === 'AbortError') {
-					throw error;
-				}
-
-				// Decompression or inner-detection failures are expected for non-tar gzip files.
-			} finally {
-				this.gzipProbeDepth--;
-			}
-
-			// We only need enough inflated bytes to confidently decide whether this is tar.gz.
-			if (compressedFileType?.ext === 'tar') {
-				return {
-					ext: 'tar.gz',
-					mime: 'application/gzip',
-				};
-			}
-
-			return {
-				ext: 'gz',
-				mime: 'application/gzip',
-			};
+			return this.detectGzip(tokenizer);
 		}
 
 		if (this.check([0x42, 0x5A, 0x68])) {
@@ -1001,7 +1145,10 @@ export class FileTypeParser {
 				// Keep ID3 probing bounded for unknown-size streams to avoid attacker-controlled large skips.
 				|| (
 					isUnknownFileSize
-					&& id3HeaderLength > maximumId3HeaderSizeInBytes
+					&& (
+						id3HeaderLength > maximumId3HeaderSizeInBytes
+						|| (tokenizer.position + id3HeaderLength) > maximumId3HeaderSizeInBytes
+					)
 				)
 			) {
 				return;
@@ -1036,7 +1183,7 @@ export class FileTypeParser {
 			}
 
 			this.detectionReentryCount++;
-			return this.fromTokenizer(tokenizer, this.detectionReentryCount); // Skip ID3 header, recursion
+			return this.parseTokenizer(tokenizer, this.detectionReentryCount); // Skip ID3 header, recursion
 		}
 
 		// Musepack, SV7
@@ -1454,6 +1601,10 @@ export class FileTypeParser {
 						return;
 					}
 
+					if (hasExceededUnknownSizeScanBudget(tokenizer, ebmlScanStart, maximumUntrustedSkipSizeInBytes)) {
+						return;
+					}
+
 					const previousPosition = tokenizer.position;
 					const element = await readElement();
 
@@ -1493,6 +1644,7 @@ export class FileTypeParser {
 			}
 
 			const rootElement = await readElement();
+			const ebmlScanStart = tokenizer.position;
 			const documentType = await readChildren(rootElement.len);
 
 			switch (documentType) {
@@ -1875,13 +2027,14 @@ export class FileTypeParser {
 			const isUnknownPngStream = hasUnknownFileSize(tokenizer);
 			const pngScanStart = tokenizer.position;
 			let pngChunkCount = 0;
+			let hasSeenImageHeader = false;
 			do {
 				pngChunkCount++;
 				if (pngChunkCount > maximumPngChunkCount) {
 					break;
 				}
 
-				if (hasExceededUnknownSizeScanBudget(tokenizer, pngScanStart, maximumPngChunkSizeInBytes)) {
+				if (hasExceededUnknownSizeScanBudget(tokenizer, pngScanStart, maximumPngStreamScanBudgetInBytes)) {
 					break;
 				}
 
@@ -1891,18 +2044,34 @@ export class FileTypeParser {
 					return; // Invalid chunk length
 				}
 
+				if (chunk.type === 'IHDR') {
+					// PNG requires the first real image header to be a 13-byte IHDR chunk.
+					if (chunk.length !== 13) {
+						return;
+					}
+
+					hasSeenImageHeader = true;
+				}
+
 				switch (chunk.type) {
 					case 'IDAT':
 						return pngFileType;
 					case 'acTL':
 						return apngFileType;
 					default:
+						if (
+							!hasSeenImageHeader
+							&& chunk.type !== 'CgBI'
+						) {
+							return;
+						}
+
 						if (
 							isUnknownPngStream
 								&& chunk.length > maximumPngChunkSizeInBytes
 						) {
 							// Avoid huge attacker-controlled skips when probing unknown-size streams.
-							return;
+							return hasSeenImageHeader && isPngAncillaryChunk(chunk.type) ? pngFileType : undefined;
 						}
 
 						try {
@@ -2158,8 +2327,16 @@ export class FileTypeParser {
 						break;
 					}
 
+					if (
+						isUnknownFileSize
+						&& payload > maximumAsfHeaderPayloadSizeInBytes
+					) {
+						isMalformedAsf = true;
+						break;
+					}
+
 					await safeIgnore(tokenizer, payload, {
-						maximumLength: isUnknownFileSize ? maximumUntrustedSkipSizeInBytes : tokenizer.fileInfo.size,
+						maximumLength: isUnknownFileSize ? maximumAsfHeaderPayloadSizeInBytes : tokenizer.fileInfo.size,
 						reason: 'ASF header payload',
 					});
 
@@ -2625,6 +2802,13 @@ export class FileTypeParser {
 				}
 			}
 
+			if (
+				hasUnknownFileSize(this.tokenizer)
+				&& ifdOffset > maximumTiffStreamIfdOffsetInBytes
+			) {
+				return tiffFileType;
+			}
+
 			const maximumTiffOffset = hasUnknownFileSize(this.tokenizer) ? maximumTiffIfdOffsetInBytes : this.tokenizer.fileInfo.size;
 
 			try {

package/index.js

@@ -4,6 +4,8 @@ Node.js specific entry point.
 
 import {ReadableStream as WebReadableStream} from 'node:stream/web';
 import {pipeline, PassThrough, Readable} from 'node:stream';
+import fs from 'node:fs/promises';
+import {constants as fileSystemConstants} from 'node:fs';
 import * as strtok3 from 'strtok3';
 import {
 	FileTypeParser as DefaultFileTypeParser,
@@ -27,7 +29,8 @@ function isTokenizerStreamBoundsError(error) {
 
 export class FileTypeParser extends DefaultFileTypeParser {
 	async fromStream(stream) {
-		const tokenizer = await (stream instanceof WebReadableStream ? strtok3.fromWebStream(stream, this.getTokenizerOptions()) : strtok3.fromStream(stream, this.getTokenizerOptions()));
+		this.options.signal?.throwIfAborted();
+		const tokenizer = await (stream instanceof WebReadableStream ? this.createTokenizerFromWebStream(stream) : strtok3.fromStream(stream, this.getTokenizerOptions()));
 		try {
 			return await super.fromTokenizer(tokenizer);
 		} catch (error) {
@@ -37,17 +40,34 @@ export class FileTypeParser extends DefaultFileTypeParser {
 
 			throw error;
 		} finally {
-			await tokenizer.close();
+			// TODO: Remove this when `strtok3.fromStream()` closes the underlying Readable instead of only aborting tokenizer reads.
+			if (
+				stream instanceof Readable
+				&& !stream.destroyed
+			) {
+				stream.destroy();
+			}
 		}
 	}
 
 	async fromFile(path) {
-		const tokenizer = await strtok3.fromFile(path);
-		try {
-			return await super.fromTokenizer(tokenizer);
-		} finally {
-			await tokenizer.close();
+		this.options.signal?.throwIfAborted();
+		// TODO: Remove this when `strtok3.fromFile()` safely rejects non-regular filesystem objects without a pathname race.
+		const fileHandle = await fs.open(path, fileSystemConstants.O_RDONLY | fileSystemConstants.O_NONBLOCK);
+		const fileStat = await fileHandle.stat();
+		if (!fileStat.isFile()) {
+			await fileHandle.close();
+			return;
 		}
+
+		const tokenizer = new strtok3.FileTokenizer(fileHandle, {
+			...this.getTokenizerOptions(),
+			fileInfo: {
+				path,
+				size: fileStat.size,
+			},
+		});
+		return super.fromTokenizer(tokenizer);
 	}
 
 	async toDetectionStream(readableStream, options = {}) {
@@ -55,36 +75,69 @@ export class FileTypeParser extends DefaultFileTypeParser {
 			return super.toDetectionStream(readableStream, options);
 		}
 
-		const sampleSize = normalizeSampleSize(options.sampleSize ?? reasonableDetectionSizeInBytes);
+		const {sampleSize = reasonableDetectionSizeInBytes} = options;
+		const {signal} = this.options;
+		const normalizedSampleSize = normalizeSampleSize(sampleSize);
+
+		signal?.throwIfAborted();
 
 		return new Promise((resolve, reject) => {
-			readableStream.on('error', reject);
+			let isSettled = false;
+
+			const cleanup = () => {
+				readableStream.off('error', onError);
+				readableStream.off('readable', onReadable);
+				signal?.removeEventListener('abort', onAbort);
+			};
 
-			readableStream.once('readable', () => {
+			const settle = (callback, value) => {
+				if (isSettled) {
+					return;
+				}
+
+				isSettled = true;
+				cleanup();
+				callback(value);
+			};
+
+			const onError = error => {
+				settle(reject, error);
+			};
+
+			const onAbort = () => {
+				if (!readableStream.destroyed) {
+					readableStream.destroy();
+				}
+
+				settle(reject, signal.reason);
+			};
+
+			const onReadable = () => {
 				(async () => {
 					try {
-						// Set up output stream
 						const pass = new PassThrough();
 						const outputStream = pipeline ? pipeline(readableStream, pass, () => {}) : readableStream.pipe(pass);
-
-						// Read the input stream and detect the filetype
-						const chunk = readableStream.read(sampleSize) ?? readableStream.read() ?? new Uint8Array(0);
+						const chunk = readableStream.read(normalizedSampleSize) ?? readableStream.read() ?? new Uint8Array(0);
 						try {
 							pass.fileType = await this.fromBuffer(chunk);
 						} catch (error) {
 							if (error instanceof strtok3.EndOfStreamError) {
 								pass.fileType = undefined;
 							} else {
-								reject(error);
+								settle(reject, error);
 							}
 						}
 
-						resolve(outputStream);
+						settle(resolve, outputStream);
 					} catch (error) {
-						reject(error);
+						settle(reject, error);
 					}
 				})();
-			});
+			};
+
+			readableStream.on('error', onError);
+			readableStream.once('readable', onReadable);
+			signal?.addEventListener('abort', onAbort, {once: true});
 		});
 	}
 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "file-type",
-	"version": "21.3.2",
+	"version": "21.3.4",
 	"description": "Detect the file type of a file, stream, or data",
 	"license": "MIT",
 	"repository": "sindresorhus/file-type",

package/readme.md

@@ -10,6 +10,9 @@ This package is for detecting binary-based file formats, not text-based formats
 
 We accept contributions for commonly used modern file formats, not historical or obscure ones. Open an issue first for discussion.
 
+> [!IMPORTANT]
+> NO SECURITY REPORTS WILL BE ACCEPTED RIGHT NOW. I'm currently hardening the parser and all the low-quality AI-generated security reports is just a huge waste of time.
+
 ## Install
 
 ```sh
@@ -438,7 +441,7 @@ import {FileTypeParser} from 'file-type';
 
 const abortController = new AbortController()
 
-const parser = new FileTypeParser({abortSignal: abortController.signal});
+const parser = new FileTypeParser({signal: abortController.signal});
 
 const promise = parser.fromStream(blob.stream());