fix(deps): update dependency jsondiffpatch to v0.7.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jsondiffpatch	0.5.0 → 0.7.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-9910

Vulnerability in jsondiffpatch

Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting (XSS) in the HtmlFormatter (HtmlFormatter::nodeBegin). When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a consuming web page.

Affected versions: >= 0, < 0.7.2
Patched version: 0.7.2

Remediation
Upgrade to jsondiffpatch 0.7.2 or later. The fix hardens the HTML formatter to avoid script injection.

Workarounds
Avoid using the HTML formatter on untrusted diffs, or sanitize/escape the rendered output.

---

Release Notes

benjamine/jsondiffpatch (jsondiffpatch)

v0.7.2

Compare Source

v0.6.2

Compare Source

v0.6.1

Compare Source

v0.6.0

Compare Source

Breaking changes

• This package is now pure ESM. For more info, please read Sindre Sorhus's FAQ (#​350).
• Supported Node versions are ^18.0.0 || >=20.0.0 (#​350).
• Requires ES6 support (#​350).
• There is no longer a default export. Import this package by using import * as jsondiffpatch from 'jsondiffpatch' or by importing individual methods (#​350).
• Formatters are no longer exported from the main entry-point and must be imported from subpaths (#​350):
  • import * as annotatedFormatter from 'jsondiffpatch/formatters/annotated'
  • import * as baseFormatter from 'jsondiffpatch/formatters/base'
  • import * as consoleFormatter from 'jsondiffpatch/formatters/console'
  • import * as htmlFormatter from 'jsondiffpatch/formatters/html'
  • import * as jsonpatchFormatter from 'jsondiffpatch/formatters/jsonpatch'
• Updated CSS imports (#​350):
  • import 'jsondiffpatch/formatters/styles/html.css'
  • import 'jsondiffpatch/formatters/styles/annotated.css'
• The main entry-point no longer includes text diffing by default. Either pass in the diff-match-patch library via the textDiff.diffMatchPatch option, or use the jsondiffpatch/with-text-diffs entry point that is included for convenience (#​352).
• Context.switchTo() has been removed (#​345).
• BaseFormatter.typeFormattterErrorFormatter() now throws an error instead of returning a string (#​345).
• The UMD browser bundle has been removed. If you were using a script tag to include jsondiffpatch in your project, you can now import it inside of your main script tag as show below. For a more complete example, see the Visual Diff example before and after this change.

<!doctype html>
<html>
  <head>
    <link
      rel="stylesheet"
      href="https://esm.sh/jsondiffpatch@0.6.0/lib/formatters/styles/html.css"
      type="text/css"
    />
    <link
      rel="stylesheet"
      href="https://esm.sh/jsondiffpatch@0.6.0/lib/formatters/styles/annotated.css"
      type="text/css"
    />
  </head>
  <body>
    <script type="module">
      import * as jsondiffpatch from 'https://esm.sh/jsondiffpatch@0.6.0';
      import * as annotatedFormatter from 'https://esm.sh/jsondiffpatch@0.6.0/formatters/annotated';
      import * as htmlFormatter from 'https://esm.sh/jsondiffpatch@0.6.0/formatters/html';

      ...
    </script>
  </body>
</html>

Other changes

• Fix demo link in formatters doc by @​johnrees in #​311
• Fix the live demo link in the deltas docs by @​Xheldon in #​317
• Fix typos in project documentation by @​plan-do-break-fix in #​305
• Fix examples in documentation by @​dayures in #​308
• Update TS type file to include jsonpatch formatter by @​thilinatnt in #​310
• Fix incorrect matrix initialization by @​rexxars in #​291
• Documentation instances distinction by @​piomar123 in #​129
• Replace usages of substr with substring by @​Methuselah96 in #​343
• Remove dead branches by @​Methuselah96 in #​344
• Convert to TypeScript by @​Methuselah96 in #​345
• Convert tests to TypeScript by @​Methuselah96 in #​346
• Convert to monorepo and revamp build system by @​Methuselah96 in #​350
• Disable text diffs by default by @​Methuselah96 in #​352

New Contributors

• @​johnrees made their first contribution in #​311
• @​Xheldon made their first contribution in #​317
• @​plan-do-break-fix made their first contribution in #​305
• @​dayures made their first contribution in #​308
• @​thilinatnt made their first contribution in #​310
• @​rexxars made their first contribution in #​291
• @​piomar123 made their first contribution in #​129

Full Changelog: benjamine/jsondiffpatch@v0.5.0...v0.6.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8cbe720

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR