Vulnerability in dependency diff ^7.0 causes "npm audit" to fail #577
Description
A (low) security vulnerability was found in the dependency diff. It was fixed in version 8.0.3, but this package still depends on ^7.0. See kpdecker/jsdiff#644 and GHSA-73rr-hh4g-fpgx for details.
Is it possible to bump the dependency to ^8.0 or ^7.0 || ^8.0? The release notes https://github.com/kpdecker/jsdiff/blob/master/release-notes.md look like from a functional perspective not a lot changed, but I have no clue how those changes might impact diff2html. Based on a quick search I can only find a direct dependency in render-utils.ts.
Line 1 in 660817b
Due to the vulnerability, npm audit now fails when diff2html is installed:
docker run --rm -it node:24 bashcd /opt
npm install diff2html
npm auditOutput:
# npm audit report
diff <8.0.3
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/diff
diff2html >=0.2.0-1
Depends on vulnerable versions of diff
node_modules/diff2html
2 low severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force