chore(deps): update dependency diff to v8.0.3 [security]#7904
Merged
renovate[bot] merged 1 commit intomainfrom Jan 15, 2026
Merged
chore(deps): update dependency diff to v8.0.3 [security]#7904renovate[bot] merged 1 commit intomainfrom
renovate[bot] merged 1 commit intomainfrom
Conversation
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
✅ Deploy Preview for rolldown-rs canceled.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
renovate
bot
force-pushed
the
renovate/npm-diff-vulnerability
branch
from
c2db7a1 to
3fad48d
Compare
This was referenced Jan 21, 2026
Merged
shulaoda
pushed a commit
that referenced
this pull request
Jan 22, 2026
## [1.0.0-rc.1] - 2026-01-22 ### 🚀 Features - debug_info: add facade chunk elimination reason (#7980) by @IWANABETHATGUY - support lazy barrel optimization (#7933) by @shulaoda - add `experimental.lazyBarrel` option (#7908) by @shulaoda - skip unused external modules from IIFE parameter list (#7978) by @sapphi-red - add custom panic hook for better crash reporting (#7752) by @shulaoda - treeshake: add `invalidImportSideEffects` option (#7958) by @shulaoda - merge allow-extension emitted chunks (#7940) by @IWANABETHATGUY - nativeMagicString generateMap (#7944) by @IWANABETHATGUY - Include meta.magicString in RenderChunkMeta (#7943) by @IWANABETHATGUY - debug_info: add debug info for eliminated facade chunks (#7946) by @IWANABETHATGUY - stablize `strictExecutionOrder` and move to `output.strictExecutionOrder` from `experimental.strictExecutionOrder` (#7901) by @sapphi-red - add documentation link to require() error message (#7898) by @Copilot - add `codeSplitting: boolean` and deprecate `inlineDynamicImports` (#7870) by @hyf0 - dev: change lazy module URL to `/@vite/lazy` from `/lazy` (#7884) by @sapphi-red ### 🐛 Bug Fixes - transform JS files containing `</script>` to escape template literals (#7987) by @IWANABETHATGUY - apply avoid-breaking-exported-api = false to clippy.toml and fix clippy errors (#7982) by @Boshen - pass `kind` from `this.resolve` (#7981) by @sapphi-red - rolldown_plugin_vite_resolve: ignore yarn resolution errors and fallback to other resolvers (#7968) by @sapphi-red - renamer: prevent renaming symbols when there no conflicts (#7936) by @Dunqing - correct minifyInterExports when emitted chunk got merged (#7941) by @IWANABETHATGUY - deduplicate entry points when module is both emitted and dynamically imported (#7885) by @IWANABETHATGUY - dev: add `@vite-ignore` to lazy compilation proxy module import (#7883) by @sapphi-red ### 🚜 Refactor - rust: enable clippy nursery lint group (#8002) by @Boshen - rust: fix inconsistent_struct_constructor clippy lint (#7999) by @Boshen - rust: fix needless_pass_by_ref_mut clippy lint (#7994) by @Boshen - rust: fix unnecessary_wraps clippy lint (#7993) by @Boshen - rust: fix enum_variant_names clippy lint (#7992) by @Boshen - fix single_match clippy lint (#7997) by @Boshen - rust: fix redundant_clone clippy lint (#7996) by @Boshen - rust: rename CJS to Cjs to follow upper_case_acronyms lint (#7991) by @Boshen - rust: remove unnecessary Box wrapper around Vec in MemberExprRef (#7990) by @Boshen - import_record: make resolved_module optional (#7907) by @shulaoda - remove unnecessary `.parse` (#7966) by @sapphi-red - remove unused `ImportRecordMeta::IsPlainImport` (#7948) by @shulaoda - proper set chunk meta (#7939) by @IWANABETHATGUY - module_loader: remove `try_spawn_with_cache` (#7920) by @shulaoda - link_stage: simplify `ImportStatus::NoMatch` to unit variant (#7909) by @shulaoda - improve global scope symbol reservation in chunk deconfliction (#7906) by @IWANABETHATGUY - simplify ast unwrapping in generate stage (#7900) by @IWANABETHATGUY - generate_stage: optimize cross-chunk imports computation (#7889) by @shulaoda - link_stage: move runtime require logic into match branch (#7892) by @shulaoda - link_stage: simplify runtime require reference conditions (#7891) by @shulaoda - link_stage: inline and simplify external dynamic import check (#7890) by @shulaoda - generate_stage: simplify external module import collection logic (#7887) by @shulaoda - avoid redundant module lookup in TLA computation (#7886) by @shulaoda - dev: `devEngine.compileEntry` does not return null (#7882) by @sapphi-red - dev: fix type errors for test HMR runtime (#7881) by @sapphi-red - dev: move `clientId` property to `DevRuntime` base class (#7880) by @sapphi-red - dev: generate client id in browser (#7878) by @hyf0 ### 📚 Documentation - apis: organize hook filters documentation and add composable filters section (#8003) by @sapphi-red - update `vitepress-plugin-group-icons` (#7947) by @yuyinws - add in-depth documentation for lazy barrel optimization (#7969) by @shulaoda - bump theme & update activeMatch for reference (#7963) by @mdong1909 - mark `build()` API as experimental (#7954) by @sapphi-red - enhance search functionality with improved scoring and filtering logic (#7935) by @hyf0 - add minor comments to multiple types (#7930) by @sapphi-red - refactor advanedChunks related content to adapt manual code splitting concept (#7925) by @hyf0 - apis: add content to Bundler API page (#7926) by @sapphi-red - apis: restructure plugin API related docs (#7924) by @sapphi-red - add plugin API docs (#7923) by @sapphi-red - apis: add docs to important APIs (#7913) by @sapphi-red - move the important APIs to the top of the sidebar (#7912) by @sapphi-red - apis: add more content to CLI documentation (#7911) by @sapphi-red - apis: generate CLI docs from --help output (#7910) by @sapphi-red - add fathom analytics (#7896) by @mdong1909 ### ⚡ Performance - use u32 for string indices in string_wizard and rolldown to reduce memory usage (#7989) by @IWANABETHATGUY - rust: remove all usages of `with_scope_tree_child_ids(true)` for `SemanticBuilder` (#7995) by @Dunqing - renamer: skip unnecessary nested scope symbol processing (#7899) by @Dunqing - module_loader: use ArcStr for importer_id to avoid string copy (#7922) by @shulaoda - module_loader: defer `ModuleTaskOwner` construction until needed (#7921) by @shulaoda - renamer: optimize symbol renaming by eliminating `rename_non_root_symbol` pass (#7867) by @Dunqing ### 🧪 Testing - add lazy barrel optimization test cases (#7967) by @shulaoda ### ⚙️ Miscellaneous Tasks - remove lazy barrel option (#8010) by @shulaoda - mark watch API as experimental (#8004) by @sapphi-red - deps: update dependency lodash-es to v4.17.23 [security] (#8001) by @renovate[bot] - git ignore zed local config (#7988) by @IWANABETHATGUY - setup publint for published packages (#7972) by @Copilot - enable `tagged_template_transform ` uncondionally (#7975) by @IWANABETHATGUY - deps: update oxc to v0.110.0 (#7964) by @renovate[bot] - deps: update oxc apps (#7962) by @renovate[bot] - ai: add upgrade-oxc Claude skill (#7957) by @Boshen - deps: update rollup submodule for tests to v4.55.2 (#7959) by @sapphi-red - deps: update test262 submodule for tests (#7960) by @sapphi-red - deps: update crate-ci/typos action to v1.42.1 (#7961) by @renovate[bot] - deps: update rust crates (#7951) by @renovate[bot] - deps: update npm packages (#7953) by @renovate[bot] - deps: update github-actions (#7952) by @renovate[bot] - deps: update npm packages (#7950) by @renovate[bot] - format magic-string test before write to disk (#7945) by @IWANABETHATGUY - deps: update dependency rolldown-plugin-dts to ^0.21.0 (#7915) by @renovate[bot] - deps: update dependency oxlint-tsgolint to v0.11.1 (#7914) by @renovate[bot] - deps: update dependency diff to v8.0.3 [security] (#7904) by @renovate[bot] - remove outdated TODO comment in `collect_depended_symbols` (#7888) by @shulaoda - deps: update oxc resolver to v11.16.3 (#7876) by @renovate[bot]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.0.2→8.0.3GitHub Vulnerability Alerts
GHSA-73rr-hh4g-fpgx
Impact
Attempting to parse a patch whose filename headers contain the line break characters
\r,\u2028, or\u2029can cause theparsePatchmethod to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory.Applications are therefore likely to be vulnerable to a denial-of-service attack if they call
parsePatchwith a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when callingparsePatchon a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed).The
applyPatchmethod is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string usingparsePatch. Other methods of the library are unaffected.Finally, a second and lesser bug - a ReDOS - also exhibits when those same line break characters are present in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take
parsePatchO(n³) time to parse.Patches
All vulnerabilities described are fixed in v8.0.3.
Workarounds
If using a version of jsdiff earlier than v8.0.3, do not attempt to parse patches that contain any of these characters:
\r,\u2028, or\u2029.References
PR that fixed the bug: https://github.com/kpdecker/jsdiff/pull/649
Release Notes
kpdecker/jsdiff (diff)
v8.0.3Compare Source
Intl.SegmenterwithdiffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).diffWordswhen used without anIntl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (×and÷) are now treated as punctuation instead of as letters / word characters.createPatchetc. patches can now be customised somewhat. It now takes aheaderOptionsoption that can be used to disable the file headers entirely, or omit theIndex:line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced withheaderOptions: FILE_HEADERS_ONLY.parsePatchwhereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now,parsePatchshould reliably take linear time. (Handling of headers that include the line break characters\r,\u2028, or\u2029in non-trailing positions is also now more reasonable as side effect of the fix.)Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.