fix: override diff package to patched versions#26728
Open
frankmueller-msft wants to merge 4 commits intomainfrom
Open
fix: override diff package to patched versions#26728frankmueller-msft wants to merge 4 commits intomainfrom
frankmueller-msft wants to merge 4 commits intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates pnpm overrides across the repo to force diff (jsdiff) onto patched versions in response to a ReDoS vulnerability, including special handling to bump 7.x consumers to 8.0.3 where no 7.x fix exists.
Changes:
- Add version-scoped pnpm overrides for
diffacross root + workspace package.json files and corresponding workspace lockfiles. - Regenerate lockfiles to reflect updated
diffresolutions (e.g., 5.2.0 → 5.2.2, 8.0.2 → 8.0.3, 7.0.0 → 8.0.3). - Update build-tools syncpack config to ignore newly introduced version-scoped override keys.
Reviewed changes
Copilot reviewed 14 out of 27 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/test-tools/pnpm-lock.yaml | Adds diff@>=5 <6 override and updates locked diff version to 5.2.2. |
| tools/test-tools/package.json | Adds pnpm override + comment for patched diff 5.x. |
| tools/benchmark/pnpm-lock.yaml | Adds diff@>=5 <6 override and updates locked diff to 5.2.2. |
| tools/benchmark/package.json | Adds pnpm override + comment for patched diff 5.x. |
| tools/api-markdown-documenter/pnpm-lock.yaml | Adds diff overrides for 5.x and 7.x→8.0.3; updates lockfile accordingly. |
| tools/api-markdown-documenter/package.json | Adds pnpm overrides + rationale for bumping 7.x to 8.0.3. |
| server/routerlicious/pnpm-lock.yaml | Adds diff overrides (4.x/5.x/8.x) and updates locked versions. |
| server/routerlicious/package.json | Adds pnpm overrides + comment for patched diff versions. |
| server/historian/pnpm-lock.yaml | Adds diff overrides (5.x, 7.x→8.0.3, 8.x) and updates lockfile. |
| server/historian/package.json | Adds pnpm overrides + rationale for 7.x bump. |
| server/gitrest/pnpm-lock.yaml | Adds diff overrides (5.x, 7.x→8.0.3, 8.x) and updates lockfile. |
| server/gitrest/package.json | Adds pnpm overrides + rationale for 7.x bump. |
| pnpm-lock.yaml | Adds root diff overrides and updates locked/resolved diff entries. |
| package.json | Adds root pnpm overrides + comment for patched diff versions (including 7.x→8.0.3). |
| docs/pnpm-lock.yaml | Adds diff@>=5 <6 override and updates locked diff to 5.2.2. |
| docs/package.json | Adds pnpm override + comment for patched diff 5.x. |
| common/lib/protocol-definitions/pnpm-lock.yaml | Adds diff@>=8 <9 override and updates lockfile to 8.0.3. |
| common/lib/protocol-definitions/package.json | Adds pnpm override + comment for patched diff 8.x. |
| common/lib/common-utils/pnpm-lock.yaml | Adds diff overrides (4.x/5.x/8.x) and updates lockfile. |
| common/lib/common-utils/package.json | Adds pnpm overrides + comment for patched diff versions. |
| common/build/eslint-plugin-fluid/pnpm-lock.yaml | Adds diff@>=5 <6 override and updates lockfile to 5.2.2. |
| common/build/eslint-plugin-fluid/package.json | Adds pnpm override + comment for patched diff 5.x. |
| common/build/eslint-config-fluid/pnpm-lock.yaml | Adds diff@>=5 <6 override and updates lockfile to 5.2.2. |
| common/build/eslint-config-fluid/package.json | Adds pnpm override + comment for patched diff 5.x. |
| build-tools/syncpack.config.cjs | Adds version-scoped diff override keys to syncpack ignore list. |
| build-tools/pnpm-lock.yaml | Adds diff overrides (4.x, 7.x→8.0.3, 8.x) and updates lockfile. |
| build-tools/package.json | Adds pnpm overrides + rationale for 7.x bump within build-tools release group. |
Files not reviewed (13)
- build-tools/pnpm-lock.yaml: Language not supported
- common/build/eslint-config-fluid/pnpm-lock.yaml: Language not supported
- common/build/eslint-plugin-fluid/pnpm-lock.yaml: Language not supported
- common/lib/common-utils/pnpm-lock.yaml: Language not supported
- common/lib/protocol-definitions/pnpm-lock.yaml: Language not supported
- docs/pnpm-lock.yaml: Language not supported
- pnpm-lock.yaml: Language not supported
- server/gitrest/pnpm-lock.yaml: Language not supported
- server/historian/pnpm-lock.yaml: Language not supported
- server/routerlicious/pnpm-lock.yaml: Language not supported
- tools/api-markdown-documenter/pnpm-lock.yaml: Language not supported
- tools/benchmark/pnpm-lock.yaml: Language not supported
- tools/test-tools/pnpm-lock.yaml: Language not supported
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
7239
to
+7241
| diff: | ||
| specifier: ^3.5.0 | ||
| version: 3.5.0 | ||
| specifier: ^4.0.4 | ||
| version: 4.0.4 |
Contributor
Author
There was a problem hiding this comment.
This is expected pnpm behavior with overrides. The package.json declares "diff": "^3.5.0" but the root workspace has "diff@>=3 <4": "^4.0.4" in pnpm overrides, which forces the lockfile specifier to ^4.0.4. The lockfile was generated by pnpm install with these overrides active — pnpm install --frozen-lockfile will pass because the override is part of the resolution context.
Contributor
There was a problem hiding this comment.
Seems valid to consider bumping diff legitimately in packages where we depend on it though. Relying on overrides for everything is not good practice
Contributor
Author
There was a problem hiding this comment.
Good point — bumped all 8 packages with direct diff devDependencies from ^3.5.0 to ^4.0.4. They're all test-only deps (only one actual import in merge-tree/src/test/beastTest.spec.ts). The diff@>=3 <4 override stays as a safety net for any transitive 3.x consumers.
Comment on lines
8677
to
+8679
| diff: | ||
| specifier: ^3.5.0 | ||
| version: 3.5.0 | ||
| specifier: ^4.0.4 | ||
| version: 4.0.4 |
Contributor
Author
There was a problem hiding this comment.
Same as above — this is how pnpm overrides work. The manifest says ^3.5.0 but the override "diff@>=3 <4": "^4.0.4" changes the resolved specifier in the lockfile. This is correct and --frozen-lockfile passes.
Override the `diff` (jsdiff) package to patched versions across all 13 workspaces to resolve a known ReDoS vulnerability. - diff 3.x/4.x → 4.0.4 (patch) - diff 5.x → 5.2.2 (patch) - diff 7.x → 8.0.3 (no 7.x fix exists, cross-major bump) - diff 8.x → 8.0.3 (patch) Consumers: mocha, sinon, ts-node, @microsoft/api-extractor. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
frankmueller-msft
force-pushed
the
fix/diff-security-override
branch
from
a421b14 to
a5a4fa3
Compare
Contributor
|
🔗 No broken links found! ✅ Your attention to detail is admirable. linkcheck output |
All 8 packages with a direct diff dependency used it only as a devDependency for tests. Bumping to ^4.0.4 (the patched version) rather than relying solely on the pnpm override. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CG scans this test fixture lockfile and flags js-yaml 3.14.1. Update to 3.14.2 to match the js-yaml override already in place. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The root workspace was missing js-yaml and jws overrides that other workspaces already had. CG flags these as unresolved because the explicit override is needed for detection, even when the lockfile already resolves to patched versions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
diff(jsdiff) package to patched versions across all 13 workspaces to resolve a known ReDoS vulnerabilitydiff@3.x→4.0.4,diff@4.x→4.0.4,diff@5.x→5.2.2,diff@7.x→8.0.3(no 7.x fix exists),diff@8.x→8.0.3diffdevDependencies from^3.5.0to^4.0.4(all test-only usage)Test plan
🤖 Generated with Claude Code