chore(deps): update dependency diff to v8.0.3 [security]#6508
chore(deps): update dependency diff to v8.0.3 [security]#6508renovate[bot] wants to merge 1 commit into
Conversation
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
View your CI Pipeline Execution ↗ for commit 4752ab1
☁️ Nx Cloud last updated this comment at |
renovate
Bot
force-pushed
the
renovate/npm-diff-vulnerability
branch
6 times, most recently
from
0d7c476 to
21865c4
Compare
renovate
Bot
force-pushed
the
renovate/npm-diff-vulnerability
branch
8 times, most recently
from
1712c37 to
a1ea407
Compare
renovate
Bot
force-pushed
the
renovate/npm-diff-vulnerability
branch
from
a1ea407 to
410a670
Compare
renovate
Bot
force-pushed
the
renovate/npm-diff-vulnerability
branch
2 times, most recently
from
815904a to
3c9ee04
Compare
renovate
Bot
force-pushed
the
renovate/npm-diff-vulnerability
branch
from
3c9ee04 to
2ecbcfa
Compare
🚀 Changeset Version Preview6 package(s) bumped directly, 18 bumped as dependents. 🟨 Minor bumps
🟩 Patch bumps
|
![nx-cloud[bot]](https://avatars.githubusercontent.com/in/80458?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
renovate
Bot
force-pushed
the
renovate/npm-diff-vulnerability
branch
4 times, most recently
from
7f92497 to
2b4ff76
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
renovate
Bot
force-pushed
the
renovate/npm-diff-vulnerability
branch
from
2b4ff76 to
04cbc50
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated the CI failures and determined they are unrelated to the diff v8.0.3 security update — the TypeScript type errors in @tanstack/eslint-plugin-start and @tanstack/eslint-plugin-router stem from pre-existing incompatibilities in @typescript-eslint/utils and @eslint/core that the diff package has no dependency on. Our recommendation is to merge this security fix and address the ESLint plugin type errors separately.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We reviewed the failing tasks and confirmed they are unrelated to this diff 8.0.2 → 8.0.3 security update. The failures are pre-existing TypeScript type compatibility errors (ESLint plugin and Query type mismatches) that also appear in branch 6614, independent of this PR. Our recommendation is to merge this security fix and address the pre-existing type errors separately.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated the CI failures and confirmed they are pre-existing issues unrelated to this PR's diff package security update. The same TypeScript type errors and Query type incompatibilities appear in other branches, indicating an environment-level misconfiguration. Our change — a pure dependency version bump — has no logical connection to these failures.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We reviewed the CI failures and determined none are related to this security bump of diff from 8.0.2 to 8.0.3. The TypeScript build errors in the eslint plugins and vue-query examples are pre-existing environment-level type conflicts, and the HMR e2e failure is a known flaky test. Our changes are safe to merge.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We identified the failing tasks as pre-existing environment issues unrelated to this PR, which only bumps the diff package lockfile entry. The same TypeScript type incompatibility errors exist in other branches, confirming they were not introduced by this security update.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
Nx Cloud has identified a possible root cause for your failed CI:
We investigated the CI failures and determined they are pre-existing TypeScript type errors unrelated to this PR. The same failures appear in branch 6614, confirming they exist independently of this security update. Our changes are limited to a lockfile bump of the diff package and cannot be the cause of these type incompatibilities.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Nx Cloud has identified a possible root cause for your failed CI:
We identified the CI failures as pre-existing TypeScript type incompatibilities unrelated to this diff package security patch. The same failures are present in other branches, confirming they are not introduced by this change and should be addressed at the environment level independently.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
This CI failure appears to be related to the environment or external dependencies rather than your code changes.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We reviewed the failing tasks and determined they are pre-existing type compatibility issues unrelated to this diff v8.0.2 → v8.0.3 security update. The failures stem from Vue reactivity type mismatches and an @typescript-eslint/utils version conflict — neither of which the diff package touches. Our recommendation is to merge this security fix and address the type issues separately.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We identified that all failing tasks are pre-existing failures also present in branch 6614, unrelated to this security bump of the diff package. The errors involve TypeScript type incompatibilities across vue-router, react-router, eslint-plugin-router, and other packages that have no connection to the diff library.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We identified that the CI failures are pre-existing environment issues unrelated to this security update — the same TypeScript compilation errors (version mismatches in @typescript-eslint/utils and @eslint/core type references) are also present in branch 6614. Since updating the diff package from 8.0.2 to 8.0.3 has no causal relationship to these failures, this PR is safe to merge once the underlying environment issues are resolved.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We identified that the failing tasks involve TypeScript type errors in @typescript-eslint/utils (version mismatch 8.57.1 vs 8.53.0), @eslint/core type resolution, and @tanstack/vue-query query key types — none of which are related to the diff 8.0.2→8.0.3 security patch. These appear to be pre-existing environment-level TypeScript compatibility issues that are not caused by this PR.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated all 18 failing tasks and found that none of the errors are related to the diff package security update (v8.0.2 → v8.0.3). The failures are pre-existing TypeScript type incompatibilities in TanStack Vue Query integrations and ESLint plugin builds, involving internal query key tag symbols and mismatched @typescript-eslint/utils versions that have no connection to the diff text-diffing utility.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
This CI failure appears to be related to the environment or external dependencies rather than your code changes.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We reviewed the CI failures and determined they are pre-existing issues unrelated to this PR. The failing tasks involve TypeScript type incompatibilities in @tanstack/vue-query and @typescript-eslint/utils — none of which are touched by the diff 8.0.2 → 8.0.3 security update. The same failures are present in other branches, confirming this is not a regression introduced by this change.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We determined this failure is an environment state issue, not caused by the diff 8.0.2→8.0.3 security patch itself. All failing tasks show TypeScript type errors in @tanstack/query and @typescript-eslint/utils that are entirely unrelated to the diff package's functionality. The lockfile update caused Nx to re-run all affected project tasks, surfacing pre-existing transitive dependency version conflicts.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
This CI failure appears to be related to the environment or external dependencies rather than your code changes.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated the failing tasks and determined they are pre-existing failures unrelated to this security patch — the same errors appear in branch 6614, confirming they exist independently of this change. The diff package update only affects the lockfile and does not touch any of the failing test areas (ESLint plugins, Vue query E2E, HMR tests). Our recommendation is to merge this security fix and address the pre-existing failures separately.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We reviewed the failing tasks and determined they are pre-existing failures unrelated to this security patch. The same TypeScript type errors, unit test failures, and E2E failures are present in branch 6614, confirming these regressions exist on the base branch independently of this diff v8.0.3 upgrade.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We determined these CI failures are pre-existing and unrelated to this security update. The failing tasks all involve TypeScript type errors in @tanstack/vue-query integration code (missing [dataTagSymbol]/[dataTagErrorSymbol] on QueryKey types), which have no connection to the diff text-diffing utility being updated here. Our recommendation is to merge this security fix and address the Vue Query type failures separately.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated the CI failures and determined they are unrelated to this diff 8.0.2 → 8.0.3 security update. The failures are pre-existing TypeScript type incompatibilities between @tanstack/vue-query and @tanstack/vue-router, and ESLint plugin build errors caused by @typescript-eslint/utils version mismatches — none of which are influenced by the diff package. We recommend merging this security patch and addressing the pre-existing type issues separately.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We classified these failures as pre-existing environment issues unrelated to this PR, which only bumps the diff package for a security fix. The same 19 failing tasks are present in branch 6614, confirming they existed before this change was introduced. No action is needed on this PR to address these failures.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated the failing tasks and determined they are not caused by this PR. The failures are TypeScript type errors related to @tanstack/query-core query key branding (dataTagSymbol/dataTagErrorSymbol), which have no connection to the diff text diffing library being updated here. Our assessment is that these are pre-existing environmental type incompatibilities unrelated to the diff 8.0.2 → 8.0.3 security upgrade.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
This CI failure appears to be related to the environment or external dependencies rather than your code changes.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We classified these CI failures as pre-existing environment issues rather than regressions introduced by this PR. The failures involve TypeScript type incompatibilities in @typescript-eslint/utils and @eslint/core that are entirely unrelated to the diff package security update. Our analysis confirmed the same failures exist in branch 6614, indicating they must be resolved in the base branch before merging.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated the failing tasks and found the same failures exist in branch 6614, confirming they are pre-existing issues unrelated to this PR. Since this change only updates the diff package for a security patch, none of the TypeScript type errors, e2e build failures, or ESLint issues can be attributed to it. No code changes are needed from our side to address these failures.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated the CI failures and determined they are pre-existing issues unrelated to this security dependency update. The same failures appear in other branches (e.g., branch 6614), confirming they were not introduced by bumping diff from 8.0.2 to 8.0.3. This PR is safe to merge once the underlying environment issues are resolved separately.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
We investigated all failing tasks and confirmed they are pre-existing failures also present on the main branch, unrelated to this diff package security bump. Our analysis shows the TypeScript type incompatibilities and e2e test failures stem from environment/configuration issues that exist independently of this PR.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update ( If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
1 participant
This PR contains the following updates:
8.0.2→8.0.3jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
CVE-2026-24001 / GHSA-73rr-hh4g-fpgx
More information
Details
Impact
Attempting to parse a patch whose filename headers contain the line break characters
\r,\u2028, or\u2029can cause theparsePatchmethod to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory.Applications are therefore likely to be vulnerable to a denial-of-service attack if they call
parsePatchwith a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when callingparsePatchon a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed).The
applyPatchmethod is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string usingparsePatch. Other methods of the library are unaffected.Finally, a second and lesser bug - a ReDOS - also exhibits when those same line break characters are present in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take
parsePatchO(n³) time to parse.Patches
All vulnerabilities described are fixed in v8.0.3.
Workarounds
If using a version of jsdiff earlier than v8.0.3, do not attempt to parse patches that contain any of these characters:
\r,\u2028, or\u2029.References
PR that fixed the bug: https://github.com/kpdecker/jsdiff/pull/649
CVE Notes
Note that although the advisory describes two bugs, they each enable exactly the same attack vector (that an attacker who controls input to
parsePatchcan cause a DOS). Fixing one bug without fixing the other therefore does not fix the vulnerability and does not provide any security benefit. Therefore we assume that the bugs cannot possibly constitute Independently Fixable Vulnerabilities in the sense of CVE CNA rule 4.2.11, but rather that this advisory is properly construed under the rules as describing a single Vulnerability.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
kpdecker/jsdiff (diff)
v8.0.3Compare Source
Intl.SegmenterwithdiffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).diffWordswhen used without anIntl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (×and÷) are now treated as punctuation instead of as letters / word characters.createPatchetc. patches can now be customised somewhat. It now takes aheaderOptionsoption that can be used to disable the file headers entirely, or omit theIndex:line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced withheaderOptions: FILE_HEADERS_ONLY.parsePatchwhereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now,parsePatchshould reliably take linear time. (Handling of headers that include the line break characters\r,\u2028, or\u2029in non-trailing positions is also now more reasonable as side effect of the fix.)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.