Upgrade diff dependency from v4 to v8.0.3 (GHSA-73rr-hh4g-fpgx) #2169
Conversation
Security fix: Upgrades the `diff` package from v4.0.1 to v8.0.3 to address security vulnerability GHSA-73rr-hh4g-fpgx (DoS in parsePatch/applyPatch). Changes: - Updated diff from ^4.0.1 to ^8.0.3 - Removed @types/diff (v8 includes built-in TypeScript types) Note: ts-node only uses diffLines() which is NOT affected by this vulnerability, but upgrading resolves npm audit warnings.
|
Thank you for putting this together! Would be great to get this out. I noticed the MR was pointing towards main, which lists is version as 11.0.0-beta.1. I see there is still a 10.x branch though which lists version 10.9.2. Question for the maintainers - could this patch be backported to v10.x considering v11 never left beta? |
|
This change is urgently needed. 2 low severity vulnerabilities exist in the current 10.9.2 version. |
|
It seems that this project is no longer maintained so users may need to mitigate downstream. I don’t use ts-node directly but I am affected because it’s a transitive dependency of something else I use, so if there’s no activity here for a while I may request that the dependent of ts-node that I use make a change on their part. |
So there's a fix that doesn't need waiting for this PR to be merged. |
|
|
|
Sorry! Apparently I cannot read! It looks like this is no longer necessary to remediate downstream 🤠 |
|
@blakeembrey would you kindly merge this and publish a release so we can get rid of vulnerability? |
9 participants
Summary
Upgrades the
diffpackage from v4 to v8.0.3 to address security vulnerability GHSA-73rr-hh4g-fpgx.Security Advisory
parsePatch()andapplyPatch()- line break characters can cause infinite loops or ReDoSdiffLines()which is NOT affected by this vulnerabilityChanges
difffrom^4.0.1to^8.0.3@types/diff(v8 includes built-in TypeScript types)Impact
diffLines()is used insrc/repl.tsfor REPL code execution