From 99aba9cfa1abef1aa247dd6ce9485405ed5fc62a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 10 Feb 2026 14:45:31 +0000
Subject: [PATCH] build(deps): bump github.com/gabriel-vasile/mimetype

Bumps [github.com/gabriel-vasile/mimetype](https://github.com/gabriel-vasile/mimetype) from 1.4.12 to 1.4.13.
- [Release notes](https://github.com/gabriel-vasile/mimetype/releases)
- [Commits](https://github.com/gabriel-vasile/mimetype/compare/v1.4.12...v1.4.13)

---
updated-dependencies:
- dependency-name: github.com/gabriel-vasile/mimetype
  dependency-version: 1.4.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod                                        |  2 +-
 go.sum                                        |  4 +-
 .../mimetype/internal/json/parser.go          |  2 -
 .../mimetype/internal/magic/audio.go          |  7 +-
 .../mimetype/internal/magic/document.go       | 25 +++++++
 .../mimetype/internal/magic/font.go           | 74 ++++++++++++++++++-
 .../mimetype/internal/magic/image.go          | 29 +++++++-
 .../mimetype/internal/magic/meteo.go          |  8 ++
 .../mimetype/internal/magic/text.go           |  6 +-
 .../gabriel-vasile/mimetype/mime.go           |  9 ++-
 .../mimetype/supported_mimes.md               |  8 +-
 .../gabriel-vasile/mimetype/tree.go           | 10 ++-
 vendor/modules.txt                            |  2 +-
 13 files changed, 162 insertions(+), 24 deletions(-)

diff --git a/go.mod b/go.mod
index 913e329789..a28d2473fc 100644
--- a/go.mod
+++ b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
-	github.com/gabriel-vasile/mimetype v1.4.12
+	github.com/gabriel-vasile/mimetype v1.4.13
 	github.com/ggwhite/go-masker v1.1.0
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/render v1.0.3
diff --git a/go.sum b/go.sum
index 7caedb0c6b..6d90bdc123 100644
--- a/go.sum
+++ b/go.sum
@@ -358,8 +358,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
-github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
+github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gdexlab/go-render v1.0.1 h1:rxqB3vo5s4n1kF0ySmoNeSPRYkEsyHgln4jFIQY7v0U=
 github.com/gdexlab/go-render v1.0.1/go.mod h1:wRi5nW2qfjiGj4mPukH4UV0IknS1cHD4VgFTmJX5JzM=
 github.com/getkin/kin-openapi v0.13.0/go.mod h1:WGRs2ZMM1Q8LR1QBEwUxC6RJEfaBcD0s+pcEVXFuAjw=
diff --git a/vendor/github.com/gabriel-vasile/mimetype/internal/json/parser.go b/vendor/github.com/gabriel-vasile/mimetype/internal/json/parser.go
index fc3c7720cf..570889b7b1 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/internal/json/parser.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/internal/json/parser.go
@@ -63,8 +63,6 @@ type parserState struct {
 	// mainly because the functionality is not needed.
 	currPath [][]byte
 	// firstToken stores the first JSON token encountered in input.
-	// TODO: performance would be better if we would stop parsing as soon
-	// as we see that first token is not what we are interested in.
 	firstToken int
 	// querySatisfied is true if both path and value of any queries passed to
 	// consumeAny are satisfied.
diff --git a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/audio.go b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/audio.go
index 2b160711ff..a285001709 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/audio.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/audio.go
@@ -40,9 +40,10 @@ func Voc(raw []byte, _ uint32) bool {
 	return bytes.HasPrefix(raw, []byte("Creative Voice File"))
 }
 
-// M3u matches a Playlist file.
-func M3u(raw []byte, _ uint32) bool {
-	return bytes.HasPrefix(raw, []byte("#EXTM3U"))
+// M3U matches a Playlist file.
+func M3U(raw []byte, _ uint32) bool {
+	return bytes.HasPrefix(raw, []byte("#EXTM3U\n")) ||
+		bytes.HasPrefix(raw, []byte("#EXTM3U\r\n"))
 }
 
 // AAC matches an Advanced Audio Coding file.
diff --git a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/document.go b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/document.go
index 7208039580..4261a1d522 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/document.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/document.go
@@ -3,6 +3,8 @@ package magic
 import (
 	"bytes"
 	"encoding/binary"
+
+	"github.com/gabriel-vasile/mimetype/internal/scan"
 )
 
 // Pdf matches a Portable Document Format file.
@@ -98,3 +100,26 @@ func Lotus123(raw []byte, _ uint32) bool {
 func CHM(raw []byte, _ uint32) bool {
 	return bytes.HasPrefix(raw, []byte("ITSF\003\000\000\000\x60\000\000\000"))
 }
+
+// Inf matches an OS/2 .inf file.
+func Inf(raw []byte, _ uint32) bool {
+	return bytes.HasPrefix(raw, []byte("HSP\x01\x9b\x00"))
+}
+
+// Hlp matches an OS/2 .hlp file.
+func Hlp(raw []byte, _ uint32) bool {
+	return bytes.HasPrefix(raw, []byte("HSP\x10\x9b\x00"))
+}
+
+// FrameMaker matches an Adobe FrameMaker file.
+func FrameMaker(raw []byte, _ uint32) bool {
+	b := scan.Bytes(raw)
+	if !bytes.HasPrefix(b, []byte("<MakerFile")) &&
+		!bytes.HasPrefix(b, []byte("<MakerDictionary")) &&
+		b.Match([]byte("<BOOKFILE"), scan.IgnoreCase) == -1 {
+		return false
+	}
+
+	// To avoid plain text false positives.
+	return bytes.IndexByte(b[:min(len(b), 512)], 0x00) != -1
+}
diff --git a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/font.go b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/font.go
index 857cfcc552..e1dda7cf06 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/font.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/font.go
@@ -2,6 +2,7 @@ package magic
 
 import (
 	"bytes"
+	"encoding/binary"
 )
 
 // Woff matches a Web Open Font Format file.
@@ -16,7 +17,11 @@ func Woff2(raw []byte, _ uint32) bool {
 
 // Otf matches an OpenType font file.
 func Otf(raw []byte, _ uint32) bool {
-	return bytes.HasPrefix(raw, []byte{0x4F, 0x54, 0x54, 0x4F, 0x00})
+	// After OTTO an little endian int16 specifies the number of tables.
+	// Since the number of tables cannot exceed 256, the first byte of the
+	// int16 is always 0. PUID: fmt/520
+	return len(raw) > 48 && bytes.HasPrefix(raw, []byte("OTTO\x00")) &&
+		bytes.Contains(raw[12:48], []byte("CFF "))
 }
 
 // Ttf matches a TrueType font file.
@@ -24,7 +29,72 @@ func Ttf(raw []byte, limit uint32) bool {
 	if !bytes.HasPrefix(raw, []byte{0x00, 0x01, 0x00, 0x00}) {
 		return false
 	}
-	return !MsAccessAce(raw, limit) && !MsAccessMdb(raw, limit)
+	return hasSFNTTable(raw)
+}
+
+func hasSFNTTable(raw []byte) bool {
+	// 49 possible tables as explained below
+	if len(raw) < 16 || binary.BigEndian.Uint16(raw[4:]) >= 49 {
+		return false
+	}
+
+	// libmagic says there are 47 table names in specification, but it seems
+	// they reached 49 in the meantime.
+	// https://github.com/file/file/blob/5184ca2471c0e801c156ee120a90e669fe27b31d/magic/Magdir/fonts#L279
+	// At the same time, the TrueType docs seem misleading:
+	// 1. https://developer.apple.com/fonts/TrueType-Reference-Manual/index.html
+	// 2. https://developer.apple.com/fonts/TrueType-Reference-Manual/RM06/Chap6.html
+	// Page 1. has 48 tables. Page 2. has 49 tables. The diff is the gcid table.
+	// Take a permissive approach.
+	possibleTables := []uint32{
+		0x61636e74, // "acnt"
+		0x616e6b72, // "ankr"
+		0x61766172, // "avar"
+		0x62646174, // "bdat"
+		0x62686564, // "bhed"
+		0x626c6f63, // "bloc"
+		0x62736c6e, // "bsln"
+		0x636d6170, // "cmap"
+		0x63766172, // "cvar"
+		0x63767420, // "cvt "
+		0x45425343, // "EBSC"
+		0x66647363, // "fdsc"
+		0x66656174, // "feat"
+		0x666d7478, // "fmtx"
+		0x666f6e64, // "fond"
+		0x6670676d, // "fpgm"
+		0x66766172, // "fvar"
+		0x67617370, // "gasp"
+		0x67636964, // "gcid"
+		0x676c7966, // "glyf"
+		0x67766172, // "gvar"
+		0x68646d78, // "hdmx"
+		0x68656164, // "head"
+		0x68686561, // "hhea"
+		0x686d7478, // "hmtx"
+		0x6876676c, // "hvgl"
+		0x6876706d, // "hvpm"
+		0x6a757374, // "just"
+		0x6b65726e, // "kern"
+		0x6b657278, // "kerx"
+		0x6c636172, // "lcar"
+		0x6c6f6361, // "loca"
+		0x6c746167, // "ltag"
+		0x6d617870, // "maxp"
+		0x6d657461, // "meta"
+		0x6d6f7274, // "mort"
+		0x6d6f7278, // "morx"
+		0x6e616d65, // "name"
+		0x6f706264, // "opbd"
+		0x4f532f32, // "OS/2"
+	}
+	ourTable := binary.BigEndian.Uint32(raw[12:16])
+	for _, t := range possibleTables {
+		if ourTable == t {
+			return true
+		}
+	}
+	return false
 }
 
 // Eot matches an Embedded OpenType font file.
diff --git a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/image.go b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/image.go
index 788f5478b4..3a86858684 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/image.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/image.go
@@ -1,6 +1,10 @@
 package magic
 
-import "bytes"
+import (
+	"bytes"
+	"encoding/binary"
+	"slices"
+)
 
 // Png matches a Portable Network Graphics file.
 // https://www.w3.org/TR/PNG/
@@ -42,7 +46,28 @@ func Gif(raw []byte, _ uint32) bool {
 
 // Bmp matches a bitmap image file.
 func Bmp(raw []byte, _ uint32) bool {
-	return bytes.HasPrefix(raw, []byte{0x42, 0x4D})
+	if len(raw) < 18 {
+		return false
+	}
+	if raw[0] != 'B' || raw[1] != 'M' {
+		return false
+	}
+
+	bmpFormat := binary.LittleEndian.Uint32(raw[14:])
+	// sourced from libmagic Magdir/images
+	possibleFormats := []uint32{
+		48,  // PC bitmap, OS/2 2.x format (DIB header size=48)
+		24,  // PC bitmap, OS/2 2.x format (DIB header size=24)
+		16,  // PC bitmap, OS/2 2.x format (DIB header size=16)
+		64,  // PC bitmap, OS/2 2.x format
+		52,  // PC bitmap, Adobe Photoshop
+		56,  // PC bitmap, Adobe Photoshop with alpha channel mask
+		40,  // PC bitmap, Windows 3.x format
+		124, // PC bitmap, Windows 98/2000 and newer format
+		108, // PC bitmap, Windows 95/NT4 and newer format
+	}
+
+	return slices.Contains(possibleFormats, bmpFormat)
 }
 
 // Ps matches a PostScript file.
diff --git a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/meteo.go b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/meteo.go
index da77d0b0ea..9f5f7d6b1a 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/meteo.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/meteo.go
@@ -10,3 +10,11 @@ func GRIB(raw []byte, _ uint32) bool {
 		bytes.HasPrefix(raw, []byte("GRIB")) &&
 		(raw[7] == 1 || raw[7] == 2)
 }
+
+// BUFR matches meteorological data format for storing point or time series data.
+// https://confluence.ecmwf.int/download/attachments/31064617/ecCodes_BUFR_in_a_nutshell.pdf?version=1&modificationDate=1457000352419&api=v2
+func BUFR(raw []byte, _ uint32) bool {
+	return len(raw) > 7 &&
+		bytes.HasPrefix(raw, []byte("BUFR")) &&
+		(raw[7] == 0x03 || raw[7] == 0x04)
+}
diff --git a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/text.go b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/text.go
index 82f6c6702d..3fa6711813 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/internal/magic/text.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/internal/magic/text.go
@@ -352,6 +352,9 @@ func GLTF(raw []byte, limit uint32) bool {
 	return jsonHelper(raw, limit, json.QueryGLTF, json.TokObject)
 }
 
+// jsonHelper parses raw and tries to match the q query against it. wantToks
+// ensures we're not wasting time parsing an input that would not pass anyway,
+// ex: the input is a valid JSON array, but we're looking for a JSON object.
 func jsonHelper(raw scan.Bytes, limit uint32, q string, wantToks ...int) bool {
 	firstNonWS := raw.FirstNonWS()
 
@@ -376,7 +379,7 @@ func jsonHelper(raw scan.Bytes, limit uint32, q string, wantToks ...int) bool {
 
 	// If a section of the file was provided, check if all of it was inspected.
 	// In other words, check that if there was a problem parsing, that problem
-	// occurred at the last byte in the input.
+	// occurred after the last byte in the input.
 	return inspected == lraw && lraw > 0
 }
 
@@ -387,7 +390,6 @@ func NdJSON(raw []byte, limit uint32) bool {
 	lCount, objOrArr := 0, 0
 
 	s := scan.Bytes(raw)
-	s.DropLastLine(limit)
 	var l scan.Bytes
 	for len(s) != 0 {
 		l = s.Line()
diff --git a/vendor/github.com/gabriel-vasile/mimetype/mime.go b/vendor/github.com/gabriel-vasile/mimetype/mime.go
index 3dadf720a7..30c41ac04c 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/mime.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/mime.go
@@ -1,7 +1,7 @@
 package mimetype
 
 import (
-	"mime"
+	stdmime "mime"
 	"slices"
 	"strings"
 
@@ -52,8 +52,8 @@ func (m *MIME) Parent() *MIME {
 func (m *MIME) Is(expectedMIME string) bool {
 	// Parsing is needed because some detected MIME types contain parameters
 	// that need to be stripped for the comparison.
-	expectedMIME, _, _ = mime.ParseMediaType(expectedMIME)
-	found, _, _ := mime.ParseMediaType(m.mime)
+	expectedMIME, _, _ = stdmime.ParseMediaType(expectedMIME)
+	found, _, _ := stdmime.ParseMediaType(m.mime)
 
 	if expectedMIME == found {
 		return true
@@ -118,7 +118,7 @@ func (m *MIME) match(in []byte, readLimit uint32) *MIME {
 
 // flatten transforms an hierarchy of MIMEs into a slice of MIMEs.
 func (m *MIME) flatten() []*MIME {
-	out := []*MIME{m}
+	out := []*MIME{m} //nolint:prealloc
 	for _, c := range m.children {
 		out = append(out, c.flatten()...)
 	}
@@ -196,6 +196,7 @@ func (m *MIME) lookup(mime string) *MIME {
 // The sub-format will be detected if all the detectors in the parent chain return true.
 // The extension should include the leading dot, as in ".html".
 func (m *MIME) Extend(detector func(raw []byte, limit uint32) bool, mime, extension string, aliases ...string) {
+	mime, _, _ = stdmime.ParseMediaType(mime)
 	c := &MIME{
 		mime:      mime,
 		extension: extension,
diff --git a/vendor/github.com/gabriel-vasile/mimetype/supported_mimes.md b/vendor/github.com/gabriel-vasile/mimetype/supported_mimes.md
index 45de7b9e33..79a3617fcf 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/supported_mimes.md
+++ b/vendor/github.com/gabriel-vasile/mimetype/supported_mimes.md
@@ -1,4 +1,4 @@
-## 195 Supported MIME types
+## 199 Supported MIME types
 This file is automatically generated when running tests. Do not edit manually.
 
 Extension | MIME type <br> Aliases | Hierarchy
@@ -99,7 +99,7 @@ Extension | MIME type <br> Aliases | Hierarchy
 **.asf** | **video/x-ms-asf** <br> video/asf, video/x-ms-wmv | asf>root
 **.aac** | **audio/aac** | aac>root
 **.voc** | **audio/x-unknown** | voc>root
-**.m3u** | **application/vnd.apple.mpegurl** <br> audio/mpegurl | m3u>root
+**.m3u** | **application/vnd.apple.mpegurl** <br> audio/mpegurl, application/x-mpegurl | m3u>root
 **.rmvb** | **application/vnd.rn-realmedia-vbr** | rmvb>root
 **.gz** | **application/gzip** <br> application/x-gzip, application/x-gunzip, application/gzipped, application/gzip-compressed, application/x-gzip-compressed, gzip/document | gz>root
 **.class** | **application/x-java-applet** | class>root
@@ -154,6 +154,10 @@ Extension | MIME type <br> Aliases | Hierarchy
 **.dxf** | **image/vnd.dxf** | dxf>root
 **.grb** | **application/grib** | grb>root
 **n/a** | **application/zlib** | zlib>root
+**.inf** | **application/x-os2-inf** | inf>root
+**.hlp** | **application/x-os2-hlp** | hlp>root
+**.fm** | **application/vnd.framemaker** | fm>root
+**.bufr** | **application/bufr** | bufr>root
 **.txt** | **text/plain** | txt>root
 **.svg** | **image/svg+xml** | svg>txt>root
 **.html** | **text/html** | html>txt>root
diff --git a/vendor/github.com/gabriel-vasile/mimetype/tree.go b/vendor/github.com/gabriel-vasile/mimetype/tree.go
index 29ef820b7f..55023baef6 100644
--- a/vendor/github.com/gabriel-vasile/mimetype/tree.go
+++ b/vendor/github.com/gabriel-vasile/mimetype/tree.go
@@ -24,7 +24,7 @@ var root = newMIME("application/octet-stream", "",
 	woff2, otf, ttc, eot, wasm, shx, dbf, dcm, rar, djvu, mobi, lit, bpg, cbor,
 	sqlite3, dwg, nes, lnk, macho, qcp, icns, hdr, mrc, mdb, accdb, zstd, cab,
 	rpm, xz, lzip, torrent, cpio, tzif, xcf, pat, gbr, glb, cabIS, jxr, parquet,
-	oneNote, chm, wpd, dxf, grib, zlib,
+	oneNote, chm, wpd, dxf, grib, zlib, inf, hlp, fm, bufr,
 	// Keep text last because it is the slowest check.
 	text,
 )
@@ -174,8 +174,8 @@ var (
 	aMp4 = newMIME("audio/mp4", ".mp4", magic.AMp4).
 		alias("audio/x-mp4a")
 	m4a = newMIME("audio/x-m4a", ".m4a", magic.M4a)
-	m3u = newMIME("application/vnd.apple.mpegurl", ".m3u", magic.M3u).
-		alias("audio/mpegurl")
+	m3u = newMIME("application/vnd.apple.mpegurl", ".m3u", magic.M3U).
+		alias("audio/mpegurl", "application/x-mpegurl")
 	m4v  = newMIME("video/x-m4v", ".m4v", magic.M4v)
 	mj2  = newMIME("video/mj2", ".mj2", magic.Mj2)
 	dvb  = newMIME("video/vnd.dvb.file", ".dvb", magic.Dvb)
@@ -290,4 +290,8 @@ var (
 	rfc822  = newMIME("message/rfc822", ".eml", magic.RFC822)
 	grib    = newMIME("application/grib", ".grb", magic.GRIB)
 	zlib    = newMIME("application/zlib", "", magic.Zlib)
+	inf     = newMIME("application/x-os2-inf", ".inf", magic.Inf)
+	hlp     = newMIME("application/x-os2-hlp", ".hlp", magic.Hlp)
+	fm      = newMIME("application/vnd.framemaker", ".fm", magic.FrameMaker)
+	bufr    = newMIME("application/bufr", ".bufr", magic.BUFR)
 )
diff --git a/vendor/modules.txt b/vendor/modules.txt
index a024f6c3be..b55b7373f6 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -453,7 +453,7 @@ github.com/felixge/httpsnoop
 ## explicit; go 1.17
 github.com/fsnotify/fsnotify
 github.com/fsnotify/fsnotify/internal
-# github.com/gabriel-vasile/mimetype v1.4.12
+# github.com/gabriel-vasile/mimetype v1.4.13
 ## explicit; go 1.21
 github.com/gabriel-vasile/mimetype
 github.com/gabriel-vasile/mimetype/internal/charset