Skip to content

Upgrade diff dependency from v4 to v8.0.3 (GHSA-73rr-hh4g-fpgx) #2169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
drzippie wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Upgrade diff dependency from v4 to v8.0.3 (GHSA-73rr-hh4g-fpgx) #2169

drzippie wants to merge 1 commit into from
+9 −11

Conversation

@drzippie
Copy link

@drzippie drzippie commented Jan 15, 2026

Summary

Upgrades the diff package from v4 to v8.0.3 to address security vulnerability GHSA-73rr-hh4g-fpgx.

Security Advisory

  • ID: GHSA-73rr-hh4g-fpgx
  • Severity: Low
  • Issue: DoS vulnerability in parsePatch() and applyPatch() - line break characters can cause infinite loops or ReDoS
  • Affected versions: < 8.0.3
  • Patched version: 8.0.3
  • Note: ts-node only uses diffLines() which is NOT affected by this vulnerability

Changes

  • Updated diff from ^4.0.1 to ^8.0.3
  • Removed @types/diff (v8 includes built-in TypeScript types)

Impact

  • Only diffLines() is used in src/repl.ts for REPL code execution
  • The API is backward compatible - no code changes needed
  • All REPL tests pass locally

@drzippie
Upgrade diff dependency from v4 to v8.0.3 (GHSA-73rr-hh4g-fpgx)
5bf37ec 
Security fix: Upgrades the `diff` package from v4.0.1 to v8.0.3 to address
security vulnerability GHSA-73rr-hh4g-fpgx (DoS in parsePatch/applyPatch).

Changes:
- Updated diff from ^4.0.1 to ^8.0.3
- Removed @types/diff (v8 includes built-in TypeScript types)

Note: ts-node only uses diffLines() which is NOT affected by this vulnerability,
but upgrading resolves npm audit warnings.
@scorgn
Copy link

scorgn commented Jan 16, 2026

Thank you for putting this together! Would be great to get this out.

I noticed the MR was pointing towards main, which lists is version as 11.0.0-beta.1. I see there is still a 10.x branch though which lists version 10.9.2.

Question for the maintainers - could this patch be backported to v10.x considering v11 never left beta?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nsalto nsalto nsalto approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@drzippie @scorgn @nsalto