Chromium maintains a fork of zlib with optimizations and fixes.

Whenever an issues is identified, Chromium developers proceed to report the issue to canonical zlib (i.e. https://github.com/madler/zlib).

A recent case was CVE-2023-45853 (https://nvd.nist.gov/vuln/detail/CVE-2023-45853) where fortunately the fix (https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356) was accepted upstream (https://github.com/madler/zlib/pull/843).

Unfortunately, there are still two known issues that the fixes never made into upstream devel zlib.

The first would cause a crash in ZLIB_DEBUG:
https://github.com/madler/zlib/pull/525

We landed the fix in 2020 in Chromium zlib:
https://chromium-review.googlesource.com/c/chromium/src/+/2426443

{{}}

The second prevents the use of an uninitialized member variable in the deflater state, as explained in: https://github.com/madler/zlib/issues/245

We have shipped this since 2017 in Chromium:
https://chromium-review.googlesource.com/c/chromium/src/+/688501

There are other related patches in (https://source.chromium.org/chromium/chromium/src/+/main:third_party/zlib/patches/)
 that may (or not) make sense to have a closer look.