Update dependency internetarchive to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
internetarchive	==1.8.5 → ==5.5.1

GitHub Vulnerability Alerts

CVE-2025-58438

Impact

What kind of vulnerability is it?
This is a Critical severity directory traversal (path traversal) vulnerability in the File.download() method of the internetarchive library.

Who is impacted?
All users of the internetarchive library versions < 5.5.1 are impacted. The vulnerability is particularly critical for users on Windows systems, but all operating systems are affected.

Description of the vulnerability:
The vulnerability existed because the file.download() method did not properly sanitize user-supplied filenames or validate the final download path. A maliciously crafted filename could contain path traversal sequences (e.g., ../../../../windows/system32/file.txt) or illegal characters that, when processed, would cause the file to be written outside of the intended target directory.

Potential Impact:
An attacker could potentially overwrite critical system files or application configuration files, leading to a denial of service, privilege escalation, or remote code execution, depending on the context in which the library is used.

Patches

Has the problem been patched?
Yes, the problem has been patched.

What versions should users upgrade to?
Users must upgrade to version 5.5.1 or later.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
There is no direct workaround that does not involve upgrading the library. The vulnerability is in the core logic of the file download process.

The only alternative for users who absolutely cannot upgrade is to implement their own custom download function that:

1. Manually sanitizes all filenames using a robust method.
2. Validates that the resolved absolute path of the download target is within the intended directory before writing any files.

However, this essentially re-implements the fix and is not recommended. Upgrading to the patched version is the only safe and supported solution.

References

• Release Notes for v5.5.1
• Commit with the fix
• CVE Identifier: CVE-2025-58438

---

Release Notes

jjjake/internetarchive (internetarchive)

v5.5.1: Version 5.5.1

Compare Source

Security

• Fixed a critical directory traversal vulnerability in File.download(). All users are urged to upgrade immediately. This prevents malicious filenames from writing files outside the target directory, a risk especially critical for Windows users.
• Added automatic filename sanitization with platform-specific rules.
• Added path resolution checks to block directory traversal attacks.
• Introduced warnings when filenames are sanitized to maintain user awareness.

Please see the security advisory for more details.

Bugfixes

• Fixed bug in JSON parsing for ia upload --file-metadata ....

v5.5.0: Version 5.5.0

Compare Source

Features and Improvements

• Added --parameters option to ia metadata.

v5.4.1: Version 5.4.1

Compare Source

Features and Improvements

• Stop setting scanner on upload per policy change.

Bugfixes

• Fixed bug where REMOVE_TAG was not working with indexed keys.
• Fixed argument validation and option parsing in ia download.

v5.4.0: Version 5.4.0

Compare Source

Features and Improvements

• Added --print-auth-header option to ia configure.

Bugfixes

• Corrected behavior of ia_copy to avoid dropping path prefixes, fixing ia_move to properly delete moved files in subdirectories (via :gh:693).
• Fixed bug where hardcoded test comment was being sent with every request.
• Fixed issue where ia reviews --index/--noindex only worked for configured user.

v5.3.1

Compare Source

v5.3.0: Version 5.3.0

Compare Source

Features and Improvements

• Added ia configure --show to print config to stdout.
• Added ia configure --check for validating credentials.
• Added ia configure --whoami for retrieving info about the configured user.
• Added ia simplelists command for managing simplelists.
• Added ia flag command for managing flags.

Bugfixes

• Fixed bugs in ia copy and ia move where an AttributeError was being raised.
• Exit with 0 rather than 1 with ia upload --checksum if the file already exists.

v5.2.1: Version 5.2.1

Compare Source

Bugfixes

• Fixed TypeError bug in ia delete that was causing all ia delete commands to fail.
• Fixed bug in ia metadata where IDs were being validated needlessly and making it impossible to modify some items.
• Fixed bug where bulk download was failing with TypeError.

v5.2.0

Compare Source

v5.1.0: Version 5.1.0

Compare Source

Features and Improvements

• added --reduced-priority option to ia metadata.

Bugfixes

• Fixed bugs for URL parameter options in CLI.
• Fixed various bugs and simplified CLI options with KEY:VALUE values.
• Fixed bug in ia --host <cmd> where the host was not being set correctly.
• Removed identifier validation from ia reviews.

v5.0.5: Version 5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3: Version 5.0.3

Compare Source

Bugfixes

• Fixed bug in CLI where some multi-arguments were being treated as single arguments.
• Fixed bug where InvalidHeader was being raised when a custom scanner was provided in some cases.

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0: Version 5.0.0

Compare Source

Updated the CLI's command-line argument parsing by replacing the obsolete docopt with the native argparse library, ensuring continued functionality and future compatibility. Note: While the CLI functionality hasn't changed, some commands may need to be formatted slightly differently. If you encounter any issues, refer to ia --help and ia {command} --help if you run into any issues.

What's Changed

• Skip early when downloading existing file by @​ChlodAlejandro in #​650
• Add archive file to cache files that passed checksum validation (#​600) by @​benbou8231 in #​645
• Refactoring CLI argument parsing from docopt to argparse by @​jjjake in #​646

New Contributors

• @​ChlodAlejandro made their first contribution in #​650
• @​benbou8231 made their first contribution in #​645

Full Changelog: jjjake/internetarchive@v4.1.0...v5.0.0

v4.1.0: Version 4.1.0

Compare Source

What's Changed

• Add refresh opt-out on Item.modify_metadata() by @​DuncanDHall in #​643
• Use mtime from files.xml if no Last-Modified header is available (e.g. VTT files) by @​jjjake in 903a833

Full Changelog: jjjake/internetarchive@v4.0.1...v4.1.0

v4.0.1: Version 4.0.1

Compare Source

Features and Improvements

• Partially downloaded files will now automatically resume where they left off when retried.
• Use Last-Modified header to set all mtimes (this includes files.xml now).

v3.7.0: Version 3.7.0

Compare Source

Features and Improvements

• Added support for JSON Patch test operations, via the expect parameter.
• Added support for moving values via --append-list (Now, rather than ignoring any requests where the value is already present, --append-list will move the value to the end of the list).
• Switched to importlib-metadata to drop deprecated pkg_resources.

Bugfixes

• Fixed automatic size hint on uploads.
• Fixed bug where auth wasn't being sent for searches with user_aggs params.

v3.6.0

Compare Source

v3.5.0

Compare Source

v3.4.0: Version 3.4.0

Compare Source

Features and Improvements

• Added parameters for filtering files based on their source value in files.xml.
• Added support for downloading multiple files to stdout.
• Added timeout parameter to download.

v3.3.0: Version 3.3.0

Compare Source

Features and Improvements

• Added support for inserting metadata into an existing multi-value metadata
  field. It differs from ia metadata <id> --modify collection[0]:foo in
  that it does not clobber. For example,
  ia metadata <id> --insert collection[0]:foo will insert foo as the
  first collection, it will not clobber.

Bugfixes

• Fixed bug in search where timeouts would always be returned on queries
  submitted to the files index where more than 10,000 results would be
  returned.

v3.2.0: Version 3.2.0

Compare Source

Features and Improvements

• Added support for admins to delete reviews via itemname.

v3.1.0: Version 3.1.0

Compare Source

Bugfixes

• Fixed bug in ia search --fts where --itemlist was printing empyt lines.
• Fixed bug in ia search --fts where -p scope:all was not working.
• Fixed directory creation race conditions in download.
• Fixed bug in ia download --stdout where nothing would be printed to stdout
  if the specified file existed on disk.
• Fixed bug that made it impossible to upload to user items.
• Fixed memoryview error when running Item.upload with StringIO input
  and verbose=True.
• Fixed bug in upload where a period was not being expanded properly to the
  contents of the current directory.

Features and Improvements

• Added support for admins to delete other users reviews.
• Added support for excluding files in ia download via the --exclude parameter.
• Various refactoring and code simplifications.

v3.0.2: Version 3.0.2

Compare Source

Bugfixes

• Fixed bug where installation would fail in some cases if requests, tqdm,
  or jsonpatch were not already installed.

v3.0.1: Version 3.0.1

Compare Source

Features and Improvements

• Cut down on the number of HTTP requests made by search.
• Added Python type hints, and other Python 3 improvements.

v3.0.0: Version 3.0.0

Compare Source

Breaking changes

• Removed Python 2.7, 3.5, and 3.6 support
• ia download no longer has a --verbose option, and --silent has been renamed to --quiet.
• internetarchive.download, Item.download and File.download no longer have a silent
  keyword argument. They are silent by default now unless verbose is set to True.

Features and Improvements

• page parameter is no longer required if rows parameter is specified in search requests.
• advancedsearch.php endpoint now supports IAS3 authorization.
• ia upload now has a --keep-directories option to use the full local file paths as the
  remote name.
• Added progress bars to ia download

Bugfixes

• Fixed treatment of list-like file metadata in ia list under Python 3
• Fixed ia upload --debug only displaying the first request.
• Fixed uploading from stdin crashing with UnicodeDecodeError or TypeError exception.
• Fixed ia upload silently ignoring exceptions.
• Fixed uploading from a spreadsheet with a BOM (UTF-8 byte-order mark) raising a KeyError.
• Fixed uploading from a spreadsheet not reusing the identifier column.
• Fixed uploading from a spreadsheet not correctly dropping the item column from metadata.
• Fixed uploading from a spreadsheet with --checksum crashing on skipped files.
• Fixed minor bug in S3 overload check on upload error retries.
• Fixed various messages being printed to stdout instead of stderr.
• Fixed format selection for on-the-fly files.

v2.3.0: Version 2.3.0

Compare Source

Features and Improvements

• Added support for IA_CONFIG_FILE environment variable to specify the configuration file path.
• Added --no-derive option to ia copy and ia move.
• Added --no-backup option to ia copy, ia move, ia upload, and ia delete.

Bugfixes

• Fixed bug where queries to the Scrape API (e.g. most search requests made by internetarchive)
  would fail to return all docs without any error reporting, if the Scrape API times out.
  All queries to the Scrape API are now tested to assert the number of docs returned matches the
  hit count returned by the Scrape API.
  If these numbers don't match, an exception is thrown in the Python API and the CLI exits with
  a non-zero exit code and error message.
• Use .archive.org as the default cookie domain. This fixes a bug where an AttributeError exception
  would be raised if a cookie wasn't set in a config file.

v2.2.0: Version 2.2.0

Compare Source

Features and Improvements

• Added ia reviews <id> --delete.
• Added ability to fetch a users reviews from an item via ia reviews <id>.

Bugfixes

• Fixed bug in ArchiveSession object where domains weren't getting set properly for cookies.
  This caused archive.org cookies to be sent to other domains.
• Fixed bug in URL param parser for CLI.
• Fixed Python 2 bug in ia upload --spreadsheet.

v2.1.0: Version 2.1.0

Compare Source

Features and Improvements

• Better error messages in ia upload --spreadsheet.
• Added support for REMOTE_NAME in ia upload --spreadsheet via a REMOTE_NAME column.
• Implemented XDG Base Directory specification.

Bugfixes

• Fixed bug in FTS where searches would crash with a TypeError exception.
• Improved Python 2 compatability.

v2.0.3

Compare Source

v2.0.2

Compare Source

v2.0.0: Version 2.0.0

Compare Source

Features and Improvements

• Automatic paging scrolling added to ia search --fts.
• Default support for lucene queries in ia search --fts.
• Added support for getting rate-limit information from the Tasks API (i.e. ia tasks --get-rate-limit --cmd derive.php).
• Added ability to set a remote-filename in a spreadsheet when uploading via ia upload --spreadsheet ....

Bugfixes

• Fixed bug in ia metadata --remove ... where multiple collections would be removed
  if the specified collection was a substring of any of the existing collections.
• Fixed bug in ia metadata --remove ... where removing multiple collections was sometimes
  not supported.

v1.9.9: Version 1.9.9

Compare Source

Features and Improvements

• Added beta support for FTS API.
• Validate identifiers in spreadsheet before uploading file with ia upload --spreadsheet.
• Added ia configure --print-cookies.
  This is helpful for using your archive.org cookies in other programs like curl.
  e.g. curl -b $(ia configure --print-cookies) <url> ...

v1.9.6: Version 1.9.6

Compare Source

Features and Improvements

• Added ability to submit tasks with a reduced priority.
• Added ability to add headers to modify_metadata requests.

Bugfixes

• Bumped version requirements for six.
  This addresses the "No module named collections_abc" error.

v1.9.5

Compare Source

v1.9.4: Version 1.9.4

Compare Source

Features and Improvements

• Added support for adding file-level metadata at time of upload.
• Added --no-backup to ia upload to turn off backups.

Bugfixes

• Fixed bug in internetarchive.get_tasks where no tasks were returned unless catalog or history params were provided.
• Fixed bug in upload where headers were being reused in certain cases.
  This lead to issues such as queue-derive being turned off in some cases.
• Fix crash in ia tasks when a task log contains invalid UTF-8 character.
• Fixed bug in upload where requests were not being closed.

v1.9.3: Version 1.9.3

Compare Source

Features and Improvements

• Added support for remvoing items from simplelists as if they were collections.
• Added Item.derive() method for deriving items.
• Added Item.fixer() method for submitting fixer tasks.
• Added --task-args to ia tasks for submitting task args to the Tasks API.

Bugfixes

• Minor bug fix in ia tasks to fix support for tasks that do not require a --comment option.

v1.9.2: Version 1.9.2

Compare Source

Features and Improvements

• Switched to tqdm for progress bar (clint is no longer maintained).
• Added Item.identifier_available() method for calling check_identifier.php.
• Added support for opening details page in default browser after upload.
• Added support for using item or identifier as column header in spreadsheet mode.
• Added ArchiveSession.get_my_catalog() method for retrieving running/queued tasks.
• Removed backports.csv requirement for newer Python releases.
• Authorization header is now used for metadata reads, to support privileged access to /metadata.
• ia download no longer downloads history dir by default.
• Added ignore_history_dir to Item.download(). The default is False.

Bugfixes

• Fixed bug in ia copy and ia move where filenames weren't being encoded/quoted correctly.
• Fixed bug in Item.get_all_item_tasks() where all calls would fail unless a dict was provided to params.
• Read from ~/.config/ia.ini with fallback to ~/.ia regardless of the existence of ~/.config
• Fixed S3 overload message always mentioning the total maximum number of retries, not the remaining ones.
• Fixed bug where a KeyError exception would be raised on most calls to dark items.
• Fixed bug where md5 was being calculated for every upload.

v1.9.0: Version 1.9.0

Compare Source

Features and Improvements

• Implemented new archive.org Tasks API <https://archive.org/services/docs/api/tasks.html>_.
• Added support for darking and undarking items via the Tasks API.
• Added support for submitting arbitrary tasks
  (only darking/undarking currently supported, see Tasks API documentation).

Bugfixes

• ia download now displays download failed instead of success when download fails.
• Fixed bug where Item.get_file would not work on unicode names in Python 2.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.