From d498092166cbe806f475f4f2ebbc2657dcdcabb8 Mon Sep 17 00:00:00 2001 From: Antonis Lilis Date: Thu, 26 Feb 2026 14:08:47 +0100 Subject: [PATCH] chore(deps): bump diff to ^5.2.2 Adds a yarn resolution to force diff to >=5.2.2, patching DoS vulnerabilities in parsePatch and applyPatch. Resolves both the 4.x (affected: >= 4.0.0, < 4.0.4) and 5.x (affected: >= 5.0.0, < 5.2.2) series by consolidating all consumers onto 5.2.2. Co-Authored-By: Claude Sonnet 4.6 --- package.json | 1 + yarn.lock | 15 ++++----------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index bd69d55849..fdc83dd1d2 100644 --- a/package.json +++ b/package.json @@ -65,6 +65,7 @@ "qs": "^6.14.2", "lodash": "^4.17.23", "tar-fs": "^3.1.1", + "diff": "^5.2.2", "tar": "^7.5.7" }, "version": "0.0.0", diff --git a/yarn.lock b/yarn.lock index d9063b15cf..bbfbdf8c71 100644 --- a/yarn.lock +++ b/yarn.lock @@ -17677,17 +17677,10 @@ __metadata: languageName: node linkType: hard -"diff@npm:5.2.0": - version: 5.2.0 - resolution: "diff@npm:5.2.0" - checksum: 12b63ca9c36c72bafa3effa77121f0581b4015df18bc16bac1f8e263597735649f1a173c26f7eba17fb4162b073fee61788abe49610e6c70a2641fe1895443fd - languageName: node - linkType: hard - -"diff@npm:^4.0.1": - version: 4.0.2 - resolution: "diff@npm:4.0.2" - checksum: f2c09b0ce4e6b301c221addd83bf3f454c0bc00caa3dd837cf6c127d6edf7223aa2bbe3b688feea110b7f262adbfc845b757c44c8a9f8c0c5b15d8fa9ce9d20d +"diff@npm:^5.2.2": + version: 5.2.2 + resolution: "diff@npm:5.2.2" + checksum: a1af5d6322ca6312279369665b5a9e6d54cd2aed42729a30523e174ccd14661a752bf10d75deec8763964cab3df3787fe816f88e9de7ee8fe774852007269d88 languageName: node linkType: hard