FAQ

Is JSZipp a drop-in replacement for JSZip?

No. JSZip exposes a mutable archive object with file(), folder(), and generateAsync(). JSZipp exposes append-style writers and readers: writer.add(), writer.close(), openZip(), and readZipStream().

Why are unsafe paths rejected by default?

ZIP filenames are attacker-controlled paths. openZip() rejects Zip Slip paths, absolute paths, drive-letter paths, drive-relative paths, backslashes, and NUL bytes unless you opt into a different pathMode.

When should I use strict-package?

Use it for uploads, plugin packages, CI artifacts, templates, or any archive that crosses a trust boundary. It adds duplicate-name, case-collision, Unicode-normalization, and local/central size checks.

Does JSZipp truly stream compression?

No. Output can be stream-shaped, but each input entry is materialized before its ZIP records are emitted. This keeps headers predictable and preserves synchronous in-memory writing, but large individual entries still affect peak memory.

What output types are supported?

ZipWriter can return ReadableStream, Blob, Response, Uint8Array, or ArrayBuffer through the outputAs option.

What about old browsers?

JSZipp targets modern browser APIs. Choose JSZip or a compatibility layer if your project must support older browsers that lack Web Streams or related primitives.