Unzip in the edge version uses an outdated security patch
Here is what we have: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c.patch But there were further updates. In particular, I'm now not able to extract an archive, which is definitely not a bomb (that is even produced by the zip utility from the same release of Alpine!). Therefore, I had to use an older unzip package. Moreover, this patch cannot be used isolated. Citing the author:
Please note the comment in the commit, that this depends on another commit. You cannot apply this commit in isolation. Also there is a subsequent commit that generalizes the bomb detection to zip-like containers that do not follow the zip standard, putting the central directory at the beginning of the container.
It'd be nice to have it fixed.