refactor(website): Replace adm-zip and JSZip with fflate for improved performance

[yamadashy]

Summary

• Replace adm-zip with fflate in website server for ZIP processing
• Replace JSZip with fflate in website client for ZIP creation
• Update package dependencies to use fflate instead of legacy ZIP libraries
• Move vite-plugin-pwa to devDependencies for better organization
• Add detailed configuration for rollup-plugin-visualizer

Performance Benefits

• fflate is significantly faster than JSZip and adm-zip
• Smaller bundle size with better tree-shaking support
• More modern API with Promise-based async operations
• Better memory efficiency for large ZIP files

Test plan

• Verify ZIP creation functionality works in website client
• Confirm ZIP processing works in website server
• Check that all existing ZIP-related features continue to work
• Validate bundle size improvements
• Test with various file sizes and types

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @yamadashy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the performance of ZIP file handling within the website application. It achieves this by migrating from the older jszip and adm-zip libraries to the more modern and efficient fflate library for both client-side creation and server-side processing of ZIP archives. The change involves updating dependencies and refactoring the core ZIP logic to integrate with the new library's API, while also refining the client build configuration.

Highlights

• Library Replacement: Replaced the jszip library used for client-side ZIP creation and the adm-zip library used for server-side ZIP processing with the fflate library. This change is intended to improve performance, reduce bundle size, and offer better memory efficiency.
• Dependency Management: Updated package.json and package-lock.json files in both the client and server directories to remove the old ZIP libraries and add fflate. Also moved vite-plugin-pwa from dependencies to devDependencies in the client.
• Build Configuration: Added detailed configuration options (filename, open, template, gzipSize, brotliSize) to the rollup-plugin-visualizer in the client's VitePress config.
• ZIP Logic Refactor: Rewrote the ZIP creation logic in useZipProcessor.ts (client) and the ZIP extraction logic in processZipFile.ts and fileUtils.ts (server) to use fflate's asynchronous, Promise-based API. This involved manually reimplementing file iteration, security checks (file count, size, path traversal), directory creation, and file writing based on the data provided by fflate.unzip.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configureGemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.38%. Comparing base (0d0f20e) to head (23f4c42).
Report is 8 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #654   +/-   ##
=======================================
  Coverage   90.38%   90.38%           
=======================================
  Files          96       96           
  Lines        5024     5024           
  Branches     1052     1052           
=======================================
  Hits         4541     4541           
  Misses        483      483           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

The pull request refactors ZIP handling using fflate for performance. The security posture of the extractZip function in website/server/src/utils/fileUtils.ts needs clarification. Also, verify fflate's behavior with directory entries in website/server/src/processZipFile.ts. Completing the test plan item "Test with various file sizes and types" will be crucial.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This change replaces the ZIP file handling libraries in both the client and server from jszip and adm-zip to fflate. All relevant file creation, extraction, and validation logic is refactored accordingly. Additionally, the Rollup visualizer plugin configuration is updated with custom options, and dependency lists are adjusted to reflect these changes.

Changes

Files/Paths	Change Summary
website/client/composables/useZipProcessor.ts	Replaces jszip with fflate for ZIP creation; updates logic to use fflate.zip and adapts error handling.
website/server/src/processZipFile.ts, website/server/src/utils/...	Replaces adm-zip with fflate for ZIP extraction; updates validation, traversal checks, and file writing logic.
website/client/package.json, website/server/package.json	Removes jszip and adm-zip dependencies; adds fflate; moves vite-plugin-pwa to devDependencies.
website/client/.vitepress/config/configShard.ts	Updates Rollup visualizer plugin configuration for custom output, disables auto-open, uses treemap, enables size reports.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Client (useZipProcessor)
    participant fflate
    User->>Client (useZipProcessor): createZipFromFiles(files)
    Client->>fflate: zip(fileMap, callback)
    fflate-->>Client (useZipProcessor): zipped Uint8Array (via callback)
    Client (useZipProcessor)-->>User: File object (zipped archive)

Loading

sequenceDiagram
    participant Server (extractZipWithSecurity)
    participant fflate
    participant File System
    Server->>fflate: unzip(buffer, callback)
    fflate-->>Server: files map (path -> Uint8Array)
    Server->>File System: Write files to disk after validation
    File System-->>Server: Files written

Loading

Possibly related PRs

• yamadashy/repomix#642: Introduced the useZipProcessor composable for ZIP file creation and validation, which is directly refactored in this PR.
• yamadashy/repomix#317: Added the Rollup visualizer plugin with default settings, which is further customized in this PR.

✨ Finishing Touches

🧪 Generate Unit Tests

• Create PR with Unit Tests
• Commit Unit Tests in branch feat/zip
• Post Copyable Unit Tests in Comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[yamadashy]

Thanks for the thorough code review! I've addressed all the feedback:

Security Fixes ✅

• Fixed path traversal vulnerability in - Now using and for robust directory traversal prevention
• Enhanced security posture - Aligned with by adding:
  • ZIP bomb detection with compression ratio limits
  • Path length and nesting level validation
  • Duplicate path detection to prevent ZipSlip attacks

Performance Improvements ✅

• Optimized file writes - Replaced sequential in loop with for parallel processing
• This should significantly improve extraction speed for large archives

Code Quality ✅

• Unified security standards - Both extraction functions now have the same comprehensive security checks
• Better error messages - More descriptive security violation messages

The changes maintain backward compatibility while significantly improving security and performance. All tests should pass with these improvements.

Fixed in commit: 23f4c42

[yamadashy]

Thanks for the thorough code review! I have addressed all the feedback:

Security Fixes ✅

• Fixed path traversal vulnerability in fileUtils.ts line 46 - Now using path.resolve and path.relative for robust directory traversal prevention
• Enhanced security posture - Aligned extractZip with extractZipWithSecurity by adding:
  • ZIP bomb detection with compression ratio limits
  • Path length and nesting level validation
  • Duplicate path detection to prevent ZipSlip attacks

Performance Improvements ✅

• Optimized file writes - Replaced sequential await in loop with Promise.all for parallel processing
• This should significantly improve extraction speed for large archives

Code Quality ✅

• Unified security standards - Both extraction functions now have the same comprehensive security checks
• Better error messages - More descriptive security violation messages

The changes maintain backward compatibility while significantly improving security and performance. All tests should pass with these improvements.

Fixed in commit: 23f4c42

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (4)

website/server/src/processZipFile.ts (2)

199-201: Verify fflate's directory entry behavior

The code assumes fflate doesn't include explicit directory entries and skips paths ending with '/'. This assumption should be verified to ensure compatibility with various ZIP file formats.

#!/bin/bash
# Search for documentation or tests about fflate's directory handling
rg -A 5 "directory|folder" --glob "**/*fflate*" --glob "**/test*"

Does fflate include directory entries in the unzipped files object, or does it only return file entries?

---

155-161: 🛠️ Refactor suggestion

Consider extracting shared unzip wrapper to avoid duplication

As noted in the previous review, this Promise wrapper logic is duplicated in fileUtils.ts. Consider creating a shared utility function to maintain DRY principles.

Create a shared utility:

// In a shared utils file
export async function unzipAsync(buffer: Uint8Array): Promise<Record<string, Uint8Array>> {
  return new Promise((resolve, reject) => {
    unzip(buffer, (err, data) => {
      if (err) reject(err);
      else resolve(data);
    });
  });
}

website/server/src/utils/fileUtils.ts (2)

44-49: Duplicate of an earlier review: the traversal check issue was raised previously and remains unresolved.

---

44-49: ⚠️ Potential issue

Path-traversal check is still bypassable – use path.resolve/path.relative instead

path.join(destPath, entryPath) retains “../” segments, so a crafted entry like ../../etc/passwd will still yield a string that starts with destPath, letting the malicious file slip through.

-      const fullPath = path.join(destPath, entryPath);
-      if (!fullPath.startsWith(destPath)) {
+      const fullPath = path.resolve(destPath, entryPath);
+      const relative = path.relative(destPath, fullPath);
+      if (relative.startsWith('..') || path.isAbsolute(relative)) {
         throw new AppError('ZIP contains unsafe file paths');
       }

🧹 Nitpick comments (2)

website/server/src/utils/fileUtils.ts (2)

11-13: Include offending size in the error message for easier troubleshooting

Surfacing the actual upload size helps operators & clients immediately understand why a request failed.

-      throw new AppError(`File size exceeds maximum limit of ${formatFileSize(FILE_SIZE_LIMITS.MAX_ZIP_SIZE)}`);
+      throw new AppError(
+        `File size ${formatFileSize(file.size)} exceeds maximum limit of ${formatFileSize(
+          FILE_SIZE_LIMITS.MAX_ZIP_SIZE,
+        )}`,
+      );

---

53-65: Sequential writes can severely slow down large extractions

Each await fs.writeFile blocks the loop. Gather promises and await Promise.all (or stream) to exploit I/O concurrency:

-    for (const [filePath, data] of Object.entries(files)) {
-      if (filePath.endsWith('/')) continue;
-      const fullPath = path.join(destPath, filePath);
-      const dirPath = path.dirname(fullPath);
-      await fs.mkdir(dirPath, { recursive: true });
-      await fs.writeFile(fullPath, data);
-    }
+    const writeJobs: Promise<unknown>[] = [];
+    for (const [filePath, data] of Object.entries(files)) {
+      if (filePath.endsWith('/')) continue;
+      const fullPath = path.join(destPath, filePath);
+      const dirPath = path.dirname(fullPath);
+      writeJobs.push(
+        fs
+          .mkdir(dirPath, { recursive: true })
+          .then(() => fs.writeFile(fullPath, data)),
+      );
+    }
+    await Promise.all(writeJobs);

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0d0f20e and a267465.

⛔ Files ignored due to path filters (2)

• website/client/package-lock.json is excluded by !**/package-lock.json
• website/server/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (6)

• website/client/.vitepress/config/configShard.ts (1 hunks)
• website/client/composables/useZipProcessor.ts (1 hunks)
• website/client/package.json (1 hunks)
• website/server/package.json (1 hunks)
• website/server/src/processZipFile.ts (4 hunks)
• website/server/src/utils/fileUtils.ts (2 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (2)

website/server/src/processZipFile.ts (1)

website/server/src/utils/errorHandler.ts (1)

• AppError (3-11)

website/server/src/utils/fileUtils.ts (2)

website/server/src/constants.ts (2)

• FILE_SIZE_LIMITS (1-6)
• formatFileSize (9-11)

website/server/src/utils/errorHandler.ts (1)

• AppError (3-11)

🔇 Additional comments (7)

website/server/package.json (1)

17-17: LGTM!

The addition of fflate dependency is consistent with the PR objectives to migrate from adm-zip.

website/client/package.json (2)

13-13: LGTM!

The addition of fflate dependency aligns with the migration from jszip.

---

20-20: Good practice: Moving build tool to devDependencies

Moving vite-plugin-pwa to devDependencies is the correct approach since it's only needed during the build process.

website/client/.vitepress/config/configShard.ts (1)

144-152: Excellent configuration for bundle analysis

The detailed visualizer configuration will help track the impact of migrating to fflate on bundle size. The treemap template and compression size reporting are particularly useful for analyzing the benefits of this refactor.

website/client/composables/useZipProcessor.ts (2)

1-1: LGTM!

Clean import change from JSZip to fflate.

---

6-23: Well-implemented migration to fflate

The implementation correctly:

• Builds the file map structure required by fflate
• Properly converts File objects to Uint8Array
• Wraps the callback-based API in a Promise for consistency
• Maintains error handling with descriptive messages

website/server/src/processZipFile.ts (1)

173-194: Security checks properly maintained

Excellent job preserving all the security validations during the migration:

• File count limits
• Uncompressed size limits
• Compression ratio checks for ZIP bomb detection
• Path traversal prevention

These are critical for server-side ZIP processing.

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	23f4c42
Status:	✅  Deploy successful!
Preview URL:	https://af18bbc8.repomix.pages.dev
Branch Preview URL:	https://feat-zip.repomix.pages.dev

View logs

[Copilot]

Pull Request Overview

This PR refactors the website’s ZIP processing by replacing legacy libraries (adm-zip and JSZip) with fflate to achieve improved performance, better tree-shaking, and enhanced security during ZIP extraction.

• Replaced adm-zip and JSZip with fflate for server and client ZIP handling.
• Introduced enhanced security checks (file count, uncompressed size, compression ratio, path traversal, nesting, and duplicate files) in ZIP extraction functions.
• Updated package dependencies and improved configuration (e.g., moving vite-plugin-pwa to devDependencies and adding detailed rollup-plugin-visualizer settings).

Reviewed Changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
website/server/src/utils/fileUtils.ts	Rewritten ZIP extraction logic with enhanced security validations and usage of fflate instead of adm-zip.
website/server/src/processZipFile.ts	Refactored ZIP processing to use fflate with similar security checks as in fileUtils.ts.
website/server/package.json	Removed adm-zip and added fflate as dependency.
website/client/package.json	Removed jszip and added fflate, and reordered plugins (vite-plugin-pwa moved to devDependencies).
website/client/composables/useZipProcessor.ts	Updated ZIP creation to utilize fflate’s zip function through a promise wrapper.
website/client/.vitepress/config/configShard.ts	Updated rollup-plugin-visualizer configuration with detailed options.
.claude/commands/*	Minor updates to PR and commit command instructions.

Files not reviewed (1)

• website/server/package-lock.json: Language not supported

Comments suppressed due to low confidence (3)

website/server/src/utils/fileUtils.ts:28

• Consider extracting the fflate unzip promise wrapper into a shared utility function to eliminate duplicate logic across the codebase.

const files = await new Promise<Record<string, Uint8Array>>((resolve, reject) => { unzip(buffer, (err, data) => { if (err) reject(err); else resolve(data); }); });

website/server/src/processZipFile.ts:155

• This unzip promise wrapper is almost identical to the one in fileUtils.ts; consider consolidating this logic into a common helper to improve maintainability.

const files = await new Promise<Record<string, Uint8Array>>((resolve, reject) => { unzip(buffer, (err, data) => { if (err) reject(err); else resolve(data); }); });

website/client/composables/useZipProcessor.ts:9

• [nitpick] Consider renaming the variable 'path' to 'filePath' to avoid confusion with standard path modules.

const path = file.webkitRelativePath || file.name;

[yamadashy]

/gemini review

[gemini-code-assist]

Code Review

This pull request focuses on replacing adm-zip and JSZip with fflate for improved performance in ZIP processing. The changes include updates to package dependencies, movement of vite-plugin-pwa to devDependencies, and detailed configuration for rollup-plugin-visualizer.