Plexus Archiver 4.6.3

🚀 New features and improvements

• Fix path traversal vulnerability (#261) @plamentotev Thanks to @Fewword for reporting the vulnerability and suggesting a fix. The vulnerability affects only directories whose name begins with the same prefix as the destination directory. For example malicious archive may extract file in /opt/directory instead of /opt/dir.

📦 Dependency updates

• Bump plexus-utils from 3.5.0 to 3.5.1 (#257) @dependabot

Plexus Archiver 4.6.2

🐛 Bug Fixes

• Fix regression in handling symbolic links. See codehaus-plexus/plexus-io#89

📦 Dependency updates

• Bump plexus-io from 3.4.0 to 3.4.1 (#256) @dependabot
• Bump zstd-jni from 1.5.2-5 to 1.5.4-2 (#254) @dependabot, (#255) @dependabot

Plexus Archiver 4.6.1

🐛 Bug Fixes

• Normalize file separators before warning about equal archive entries (#249) @Bananeweizen

📦 Dependency updates

• Bump commons-compress from 1.21 to 1.22 (#243) @dependabot

Plexus Archiver 4.6.0

🚀 New features and improvements

• keep file/directory permissions in Reproducible Builds mode (#241) @hboutemy

📦 Dependency updates

• Bump junitVersion from 5.9.0 to 5.9.1 (#236) @dependabot
• Bump plexus-utils from 3.4.2 to 3.5.0 (#242) @dependabot
• Bump zstd-jni from 1.5.2-4 to 1.5.2-5 (#240) @dependabot

Plexus Archiver 4.5.0

🚀 New features and improvements

• Add zstd (un)archiver support (#226) @pleeplop

🐛 Bug Fixes

• Fix UnArchiver#isOverwrite not working as expected (#229) @plamentotev
  Existing files were overridden only if UnArchiver#isOverwrite was set and the existing files were older than the archive entry.
  Now it works as documented: older files are always overridden; when UnArchiver#isOverwrite is true, existing files are always
  overridden regardless if they are older or not.

Plexus Archiver 4.4.0

🚀 New features and improvements

• Drop legacy plexus API and use only JSR330 components (#220) @cstamas

Plexus Archiver 4.3.0

🚀 New features and improvements

• Require Java 8 (#206) @plamentotev
• Refactor to use FileTime API (#199) @jorsol
• Rename setTime method to setZipEntryTime (#209) @jorsol
• Convert InputStreamSupplier to lambdas (#212) @jorsol
• Update plexus-container-default to 2.1.1, commons-io 2.11.0 (#211) @jorsol
• FIX: Reproducible Builds not working when using modular jar (#205) @jorsol

📦 Dependency updates

• Bump plexus-parent from 8 to 10 (#219) @dependabot
• Bump plexus-io from 3.2.0 to 3.3.1 (#214) @dependabot
• Bump plexus-utils from 3.4.1 to 3.4.2 (#218) @dependabot

Plexus Archiver 4.2.7

🚀 New features and improvements

• Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file (#189) @michael-o

Plexus Archiver 4.2.6

This release updates commons-compress to 1.21 which contains security fixed for CVE-2021-35517 CVE-2021-35516 CVE-2021-35515 CVE-2021-36090

This version requires Java 8 as minimum (commons-compress 1.21 requires Java 8).

🚀 New features and improvements

• FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used (#183) @jorsol
• Code cleanup (#172) @olamy

📦 Dependency updates

• Bump plexus from 7 to 8 (#179) @dependabot
• Bump plexus-utils from 3.3.0 to 3.4.1 (#181) @dependabot
• Bump commons-compress from 1.20 to 1.21 (#177) @dependabot

Plexus Archiver 4.2.5

🚀 New features and improvements

• Speed improvements (#157) @gnodet

🐛 Bug Fixes

• Fix use of a mismatching Unicode path extra field in zip unarchiving (#167) @cwalther
  In some cases zip archiver may update the file path but not the Unicode path extra field. This would result in Plexus Archiver extracting the file using wrong (obsolete) path. Now Plexus Archiver follows the specification and in this case will ignore the extra filed and extract the file in the correct location.

📦 Dependency updates

• Bump plexus from 6.5 to 7 (#158) @dependabot
• Bump xz from 1.8 to 1.9 (#165) @dependabot