Security vulnerability in `diff` package

[raheel-iso365]

There is a security vulnerability in the version of the diff package used by ts-node.

Search Terms

diff

Expected Behavior

Actual Behavior

npm audit
# npm audit report

diff  <8.0.3
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
node_modules/diff
  ts-node  <=1.4.3 || >=1.7.2
  Depends on vulnerable versions of diff

Steps to reproduce the problem

npm audit

Minimal reproduction

Specifications

• ts-node version:
• node version: 10.9.2
• TypeScript version: 5.9.3
• tsconfig.json, if you're using one:

{}

• package.json:

{
.
.
"ts-node": "^10.9.2",
"typescript": "^5.7.3",
.
.

}

• Operating system and version:
• If Windows, are you using WSL or WSL2?:

[tats-u]

Still v4 even in main...

ts-node/package.json

Line 170 in ddb05ef

"diff": "^4.0.1",

[alumni]

diff@4.0.4 will be released soon. No changes necessary in this repo.

[tats-u]

It was successfully shipped.
It is funny that the most popular major version of diff is not 8.x but 4.x.

[kpatsis]

There is a PR open that updates diff to latest version: #2169