From 8a29e93bb409aaace04275de43780bfa06c3f3ea Mon Sep 17 00:00:00 2001
From: Eamon Nerbonne <eamon@nerbonne.org>
Date: Mon, 18 Nov 2024 16:05:49 +0100
Subject: [PATCH] Update README.md

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index bd5ad9c..3a1d2a6 100644
--- a/README.md
+++ b/README.md
@@ -28,3 +28,9 @@ If you prefer to manually use the appropriate DotNetZip apis over importing this
 
 Per the DotNetZip docs, this compression is compatible with the deflate RFC as implemented by the common [zlib library](http://zlib.net).
 (Note that although gzip uses the same algorithm, it uses a slightly different and thus incompatible header.)
+
+
+Unaffected by DotNetZip directory traversal vulnerability
+---
+
+[DotNetZip has a directory traversal vulnerability](https://github.com/advisories/GHSA-xhg6-9j5j-w4vf) when extracting ZipEntry. Unfortunately, [DotNetZip](https://github.com/haf/DotNetZip.Semverd) is no longer maintained and will likely not be updated.  However, code using this library (and no other DotNetZip features) is not affected because the library as far as I can tell never touches any code-paths which use ZipEntry; this library only deals with simple byte arrays and never performs any I/O. In short: the vulnerability is in the zip-archive part of DotNetZip, not the Zlib algorithmic part.