chore(deps): update dependency diff to v8.0.3 [security] by renovate[bot] · Pull Request #6508 · TanStack/router

renovate · 2026-01-25T16:04:59Z

This PR contains the following updates:

Package	Change	Age	Confidence
diff	`8.0.2` → `8.0.3`

jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

CVE-2026-24001 / GHSA-73rr-hh4g-fpgx

More information

Details

Impact

Attempting to parse a patch whose filename headers contain the line break characters \r, \u2028, or \u2029 can cause the parsePatch method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory.

Applications are therefore likely to be vulnerable to a denial-of-service attack if they call parsePatch with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling parsePatch on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed).

The applyPatch method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using parsePatch. Other methods of the library are unaffected.

Finally, a second and lesser bug - a ReDOS - also exhibits when those same line break characters are present in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take parsePatch O(n³) time to parse.

Patches

All vulnerabilities described are fixed in v8.0.3.

Workarounds

If using a version of jsdiff earlier than v8.0.3, do not attempt to parse patches that contain any of these characters: \r, \u2028, or \u2029.

References

PR that fixed the bug: https://github.com/kpdecker/jsdiff/pull/649

CVE Notes

Note that although the advisory describes two bugs, they each enable exactly the same attack vector (that an attacker who controls input to parsePatch can cause a DOS). Fixing one bug without fixing the other therefore does not fix the vulnerability and does not provide any security benefit. Therefore we assume that the bugs cannot possibly constitute Independently Fixable Vulnerabilities in the sense of CVE CNA rule 4.2.11, but rather that this advisory is properly construed under the rules as describing a single Vulnerability.

Severity

CVSS Score: 2.7 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

kpdecker/jsdiff (diff)

`v8.0.3`

Compare Source

#631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
#635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
#641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
#647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

coderabbitai · 2026-01-25T16:05:10Z

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7d6f5cc8-b26b-428b-801f-cc20c4f3e511

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch renovate/npm-diff-vulnerability

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

nx-cloud · 2026-01-25T16:05:29Z

View your CI Pipeline Execution ↗ for commit 733692e

Command	Status	Duration	Result
`nx affected --targets=test:eslint,test:unit,tes...`	❌ Failed	4m 21s	View ↗
`nx run-many --target=build --exclude=examples/*...`	❌ Failed	16s	View ↗

☁️ Nx Cloud last updated this comment at 2026-04-25 20:56:16 UTC

github-actions · 2026-04-16T05:40:16Z

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

nx-cloud

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud has identified a possible root cause for your failed CI:

This CI failure appears to be related to the environment or external dependencies rather than your code changes.

No code changes were suggested for this issue.

Trigger a rerun:

View detailed reasoning on Nx Cloud ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

nx-cloud

Nx Cloud has identified a possible root cause for your failed CI:

We investigated the CI failures and found they are pre-existing TypeScript type incompatibility errors unrelated to this diff package security patch. The same failures reproduce identically in branch 6614, confirming they were not introduced by this PR. Our recommendation is to merge this security update and address the type errors separately.

No code changes were suggested for this issue.

Trigger a rerun:

View detailed reasoning on Nx Cloud ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

renovate Bot added the dependencies Pull requests that update a dependency file label Jan 25, 2026

renovate Bot force-pushed the renovate/npm-diff-vulnerability branch 6 times, most recently from 0d7c476 to 21865c4 Compare February 1, 2026 13:57

renovate Bot force-pushed the renovate/npm-diff-vulnerability branch 8 times, most recently from 1712c37 to a1ea407 Compare February 9, 2026 01:18

renovate Bot force-pushed the renovate/npm-diff-vulnerability branch from a1ea407 to 410a670 Compare February 15, 2026 11:42

renovate Bot force-pushed the renovate/npm-diff-vulnerability branch 2 times, most recently from 815904a to 3c9ee04 Compare February 22, 2026 21:34

renovate Bot force-pushed the renovate/npm-diff-vulnerability branch from 3c9ee04 to 2ecbcfa Compare April 16, 2026 05:39