Debian Node-Jszip vulnerabilities

CVE-2022-48285 [HIGH] CVE-2022-48285: node-jszip - loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP arc... loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. Scope: local bookworm: resolved (fixed in 3.10.0+dfsg-1) bullseye: open forky: resolved (fixed in 3.10.0+dfsg-1) sid: resolved (fixed in 3.10.0+dfsg-1) trixie: resolved (fixed in 3.10.0+dfsg-1)

CVE-2021-23413 [MEDIUM] CVE-2021-23413: node-jszip - This affects the package jszip before 3.7.0. Crafting a new zip file with filena... This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance. Scope: local bookworm: resolved (fixed in 3.5.0+dfsg-2) bullseye: resolved (fixed in 3.5.0+dfsg-2) forky: resolved (fixed in 3.5.0+dfsg-2) sid: resolved