Skip to content

Upgrade diff dependency from v4 to v8.0.3 (GHSA-73rr-hh4g-fpgx)#2169

Open
drzippie wants to merge 1 commit intoTypeStrong:mainfrom
drzippie:fix/upgrade-diff-v8
Open

Upgrade diff dependency from v4 to v8.0.3 (GHSA-73rr-hh4g-fpgx)#2169
drzippie wants to merge 1 commit intoTypeStrong:mainfrom
drzippie:fix/upgrade-diff-v8

Conversation

@drzippie
Copy link

@drzippie drzippie commented Jan 15, 2026

Summary

Upgrades the diff package from v4 to v8.0.3 to address security vulnerability GHSA-73rr-hh4g-fpgx.

Security Advisory

  • ID: GHSA-73rr-hh4g-fpgx
  • Severity: Low
  • Issue: DoS vulnerability in parsePatch() and applyPatch() - line break characters can cause infinite loops or ReDoS
  • Affected versions: < 8.0.3
  • Patched version: 8.0.3
  • Note: ts-node only uses diffLines() which is NOT affected by this vulnerability

Changes

  • Updated diff from ^4.0.1 to ^8.0.3
  • Removed @types/diff (v8 includes built-in TypeScript types)

Impact

  • Only diffLines() is used in src/repl.ts for REPL code execution
  • The API is backward compatible - no code changes needed
  • All REPL tests pass locally

@drzippie
Upgrade diff dependency from v4 to v8.0.3 (GHSA-73rr-hh4g-fpgx)
5bf37ec 
Security fix: Upgrades the `diff` package from v4.0.1 to v8.0.3 to address
security vulnerability GHSA-73rr-hh4g-fpgx (DoS in parsePatch/applyPatch).

Changes:
- Updated diff from ^4.0.1 to ^8.0.3
- Removed @types/diff (v8 includes built-in TypeScript types)

Note: ts-node only uses diffLines() which is NOT affected by this vulnerability,
but upgrading resolves npm audit warnings.
@scorgn
Copy link

scorgn commented Jan 16, 2026

Thank you for putting this together! Would be great to get this out.

I noticed the MR was pointing towards main, which lists is version as 11.0.0-beta.1. I see there is still a 10.x branch though which lists version 10.9.2.

Question for the maintainers - could this patch be backported to v10.x considering v11 never left beta?

hlovdal added a commit to hlovdal/node-red-display-property that referenced this pull request Jan 18, 2026
@hlovdal
Temporary override diff package
2b3f4ef 
TypeStrong/ts-node#2169
@khoserdene-mezorn
Copy link

khoserdene-mezorn commented Jan 19, 2026

This change is urgently needed. 2 low severity vulnerabilities exist in the current 10.9.2 version.

@richardkazuomiller
Copy link

richardkazuomiller commented Jan 19, 2026

It seems that this project is no longer maintained so users may need to mitigate downstream. I don’t use ts-node directly but I am affected because it’s a transitive dependency of something else I use, so if there’s no activity here for a while I may request that the dependent of ts-node that I use make a change on their part.

#2119
#2140

@kpatsis kpatsis mentioned this pull request Jan 20, 2026
Open
@alumni
Copy link

alumni commented Jan 21, 2026

This change is urgently needed.

[email protected] was released and the vulnerabilities were patched there.

So there's a fix that doesn't need waiting for this PR to be merged.

@richardkazuomiller
Copy link

richardkazuomiller commented Jan 21, 2026
edited
Loading

The fix in diff will not propagate downstream wothout this PR being merged because it is in diff version 8.x while the version ts-node includes is 4.x.

@richardkazuomiller
Copy link

richardkazuomiller commented Jan 21, 2026

Sorry! Apparently I cannot read! It looks like this is no longer necessary to remediate downstream 🤠

@vahidshirvani
Copy link

vahidshirvani commented Jan 21, 2026

@blakeembrey would you kindly merge this and publish a release so we can get rid of vulnerability?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@50bbx 50bbx 50bbx approved these changes

@wilpat wilpat wilpat approved these changes

@nsalto nsalto nsalto approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@drzippie @scorgn @khoserdene-mezorn @richardkazuomiller @alumni @vahidshirvani @50bbx @wilpat @nsalto