diff --git a/build-tools/package.json b/build-tools/package.json index d914c33f796d..3e06a9a306dd 100644 --- a/build-tools/package.json +++ b/build-tools/package.json @@ -155,10 +155,14 @@ "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.", "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@types/glob>@types/minimatch": "~5.1.2", + "diff@>=4 <5": "^4.0.4", + "diff@>=7 <8": "^8.0.3", + "diff@>=8 <9": "^8.0.3", "@types/node": "^22.19.1", "eslint": "~9.39.2", "json5@<1.0.2": "^1.0.2", diff --git a/build-tools/pnpm-lock.yaml b/build-tools/pnpm-lock.yaml index 3dda9238d3c6..4c8ba4161e76 100644 --- a/build-tools/pnpm-lock.yaml +++ b/build-tools/pnpm-lock.yaml @@ -6,6 +6,9 @@ settings: overrides: '@types/glob>@types/minimatch': ~5.1.2 + diff@>=4 <5: ^4.0.4 + diff@>=7 <8: ^8.0.3 + diff@>=8 <9: ^8.0.3 '@types/node': ^22.19.1 eslint: ~9.39.2 json5@<1.0.2: ^1.0.2 @@ -2923,16 +2926,12 @@ packages: devlop@1.1.0: resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==} - diff@4.0.2: - resolution: {integrity: sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==} + diff@4.0.4: + resolution: {integrity: sha512-X07nttJQkwkfKfvTPG/KSnE2OMdcUCao6+eXF3wmnIQRn2aPAHH3VxDbDOdegkd6JbPsXqShpvEOHfAT+nCNwQ==} engines: {node: '>=0.3.1'} - diff@7.0.0: - resolution: {integrity: sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw==} - engines: {node: '>=0.3.1'} - - diff@8.0.2: - resolution: {integrity: sha512-sSuxWU5j5SR9QQji/o2qMvqRNYRDOcBTgsJ/DeCf4iSN4gW+gNMXM7wFIP+fdXZxoNiAnHUTGjCr+TSWXdRDKg==} + diff@8.0.3: + resolution: {integrity: sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -7014,7 +7013,7 @@ snapshots: '@rushstack/rig-package': 0.6.0 '@rushstack/terminal': 0.19.4(@types/node@22.19.1) '@rushstack/ts-command-line': 5.1.4(@types/node@22.19.1) - diff: 8.0.2 + diff: 8.0.3 lodash: 4.17.21 minimatch: 10.0.3 resolve: 1.22.8 @@ -8514,11 +8513,9 @@ snapshots: dependencies: dequal: 2.0.3 - diff@4.0.2: {} - - diff@7.0.0: {} + diff@4.0.4: {} - diff@8.0.2: {} + diff@8.0.3: {} dir-glob@3.0.1: dependencies: @@ -10434,7 +10431,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 4.0.3 debug: 4.4.3(supports-color@8.1.1) - diff: 7.0.0 + diff: 8.0.3 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 10.5.0 @@ -11737,7 +11734,7 @@ snapshots: acorn-walk: 8.2.0 arg: 4.1.3 create-require: 1.1.1 - diff: 4.0.2 + diff: 4.0.4 make-error: 1.3.6 typescript: 5.4.5 v8-compile-cache-lib: 3.0.1 diff --git a/build-tools/syncpack.config.cjs b/build-tools/syncpack.config.cjs index 6800508ff3b7..47e10c8a1c4f 100644 --- a/build-tools/syncpack.config.cjs +++ b/build-tools/syncpack.config.cjs @@ -80,6 +80,9 @@ module.exports = { label: "Ignore unsupported pnpm override entries", dependencyTypes: ["pnpmOverrides"], dependencies: [ + "diff@>=4 <5", + "diff@>=7 <8", + "diff@>=8 <9", "js-yaml@<4", "js-yaml@>=4", "json5@<1.0.2", diff --git a/common/build/eslint-config-fluid/package.json b/common/build/eslint-config-fluid/package.json index 294ba336919c..05ec5b16bd9d 100644 --- a/common/build/eslint-config-fluid/package.json +++ b/common/build/eslint-config-fluid/package.json @@ -79,9 +79,11 @@ "pnpm": { "commentsOverrides": [ "serialize-javascript - CVE-2024-11831 impacts version 6.0.0 which is pinned by mocha 10.4.0, which in turn comes from mocha-multi-reporters 1.5.1 (which has no updated version at this time)", - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys)." + "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", + "diff: overridden to patched version to resolve a known ReDoS vulnerability." ], "overrides": { + "diff@>=5 <6": "^5.2.2", "js-yaml": "^4.1.1", "mocha>serialize-javascript@6.0.0": "^6.0.2" }, diff --git a/common/build/eslint-config-fluid/pnpm-lock.yaml b/common/build/eslint-config-fluid/pnpm-lock.yaml index 9e2093d99081..1cc5c94b773e 100644 --- a/common/build/eslint-config-fluid/pnpm-lock.yaml +++ b/common/build/eslint-config-fluid/pnpm-lock.yaml @@ -5,6 +5,7 @@ settings: excludeLinksFromLockfile: false overrides: + diff@>=5 <6: ^5.2.2 js-yaml: ^4.1.1 mocha>serialize-javascript@6.0.0: ^6.0.2 @@ -966,8 +967,8 @@ packages: resolution: {integrity: sha512-CwffZFvlJffUg9zZA0uqrjQayUTC8ob94pnr5sFwaVv3IOmkfUHcWH+jXaQK3askE51Cqe8/9Ql/0uXNwqZ8Zg==} engines: {node: '>=0.10.0'} - diff@5.0.0: - resolution: {integrity: sha512-/VTCrvm5Z0JGty/BWHljh+BAiw3IK+2j87NGMu8Nwc/f48WoDAC395uomO9ZD117ZOBaHmkX1oyLvkVM/aIT3w==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} doctrine@2.1.0: @@ -3087,7 +3088,7 @@ snapshots: detect-newline@2.1.0: {} - diff@5.0.0: {} + diff@5.2.2: {} doctrine@2.1.0: dependencies: @@ -3930,7 +3931,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.5.3 debug: 4.3.4(supports-color@8.1.1) - diff: 5.0.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 diff --git a/common/build/eslint-plugin-fluid/package.json b/common/build/eslint-plugin-fluid/package.json index 3c0de4ff6128..325a8a66cadc 100644 --- a/common/build/eslint-plugin-fluid/package.json +++ b/common/build/eslint-plugin-fluid/package.json @@ -52,9 +52,11 @@ "commentsOverrides": [ "validator: overridden to ^13.15.0 to resolve a known vulnerability in older versions (transitive via swagger-tools).", "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys)." + "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", + "diff: overridden to patched version to resolve a known ReDoS vulnerability." ], "overrides": { + "diff@>=5 <6": "^5.2.2", "js-yaml": "^4.1.1", "qs": "^6.15.0", "validator": "^13.15.0" diff --git a/common/build/eslint-plugin-fluid/pnpm-lock.yaml b/common/build/eslint-plugin-fluid/pnpm-lock.yaml index b43bd52a0e9d..239a7b77a734 100644 --- a/common/build/eslint-plugin-fluid/pnpm-lock.yaml +++ b/common/build/eslint-plugin-fluid/pnpm-lock.yaml @@ -5,6 +5,7 @@ settings: excludeLinksFromLockfile: false overrides: + diff@>=5 <6: ^5.2.2 js-yaml: ^4.1.1 qs: ^6.15.0 validator: ^13.15.0 @@ -550,8 +551,8 @@ packages: resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==} engines: {node: '>=0.4.0'} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -2465,7 +2466,7 @@ snapshots: delayed-stream@1.0.0: {} - diff@5.2.0: {} + diff@5.2.2: {} dir-glob@3.0.1: dependencies: @@ -3512,7 +3513,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.5.3 debug: 4.4.0(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 diff --git a/common/lib/common-utils/package.json b/common/lib/common-utils/package.json index 26abec23cbda..6b95bfcf7dc7 100644 --- a/common/lib/common-utils/package.json +++ b/common/lib/common-utils/package.json @@ -161,9 +161,13 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "diff: overridden to patched versions to resolve a known ReDoS vulnerability.", "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { + "diff@>=4 <5": "^4.0.4", + "diff@>=5 <6": "^5.2.2", + "diff@>=8 <9": "^8.0.3", "js-yaml@<4": "^3.14.2", "js-yaml@>=4": "^4.1.1", "jws": "^3.2.3", diff --git a/common/lib/common-utils/pnpm-lock.yaml b/common/lib/common-utils/pnpm-lock.yaml index c595c011afbe..2bfa82eb3bd2 100644 --- a/common/lib/common-utils/pnpm-lock.yaml +++ b/common/lib/common-utils/pnpm-lock.yaml @@ -5,6 +5,9 @@ settings: excludeLinksFromLockfile: false overrides: + diff@>=4 <5: ^4.0.4 + diff@>=5 <6: ^5.2.2 + diff@>=8 <9: ^8.0.3 js-yaml@<4: ^3.14.2 js-yaml@>=4: ^4.1.1 jws: ^3.2.3 @@ -2387,16 +2390,16 @@ packages: resolution: {integrity: sha512-EjePK1srD3P08o2j4f0ExnylqRs5B9tJjcp9t1krH2qRi8CCdsYfwe9JgSLurFBWwq4uOlipzfk5fHNvwFKr8Q==} engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0} - diff@4.0.2: - resolution: {integrity: sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==} + diff@4.0.4: + resolution: {integrity: sha512-X07nttJQkwkfKfvTPG/KSnE2OMdcUCao6+eXF3wmnIQRn2aPAHH3VxDbDOdegkd6JbPsXqShpvEOHfAT+nCNwQ==} engines: {node: '>=0.3.1'} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} - diff@8.0.2: - resolution: {integrity: sha512-sSuxWU5j5SR9QQji/o2qMvqRNYRDOcBTgsJ/DeCf4iSN4gW+gNMXM7wFIP+fdXZxoNiAnHUTGjCr+TSWXdRDKg==} + diff@8.0.3: + resolution: {integrity: sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -6984,7 +6987,7 @@ snapshots: '@rushstack/rig-package': 0.6.0 '@rushstack/terminal': 0.19.5(@types/node@18.19.39) '@rushstack/ts-command-line': 5.1.5(@types/node@18.19.39) - diff: 8.0.2 + diff: 8.0.3 lodash: 4.17.21 minimatch: 10.0.3 resolve: 1.22.8 @@ -8787,11 +8790,11 @@ snapshots: diff-sequences@29.6.3: {} - diff@4.0.2: {} + diff@4.0.4: {} - diff@5.2.0: {} + diff@5.2.2: {} - diff@8.0.2: {} + diff@8.0.3: {} dir-glob@3.0.1: dependencies: @@ -11216,7 +11219,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.5.3 debug: 4.4.3(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 @@ -12283,7 +12286,7 @@ snapshots: '@sinonjs/commons': 3.0.1 '@sinonjs/fake-timers': 11.2.2 '@sinonjs/samsam': 8.0.2 - diff: 5.2.0 + diff: 5.2.2 nise: 6.1.1 supports-color: 7.2.0 @@ -12698,7 +12701,7 @@ snapshots: acorn-walk: 8.2.0 arg: 4.1.3 create-require: 1.1.1 - diff: 4.0.2 + diff: 4.0.4 make-error: 1.3.6 typescript: 5.4.5 v8-compile-cache-lib: 3.0.1 diff --git a/common/lib/protocol-definitions/package.json b/common/lib/protocol-definitions/package.json index c71c6c47719c..64fb280e54a1 100644 --- a/common/lib/protocol-definitions/package.json +++ b/common/lib/protocol-definitions/package.json @@ -119,6 +119,7 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "diff: overridden to patched version to resolve a known ReDoS vulnerability.", "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "onlyBuiltDependencies": [ @@ -135,6 +136,7 @@ ] }, "overrides": { + "diff@>=8 <9": "^8.0.3", "js-yaml@<4": "^3.14.2", "jws": "^3.2.3", "oclif>@aws-sdk/client-cloudfront": "-", diff --git a/common/lib/protocol-definitions/pnpm-lock.yaml b/common/lib/protocol-definitions/pnpm-lock.yaml index 58df8550fb7a..92b7a17a01ec 100644 --- a/common/lib/protocol-definitions/pnpm-lock.yaml +++ b/common/lib/protocol-definitions/pnpm-lock.yaml @@ -5,6 +5,7 @@ settings: excludeLinksFromLockfile: false overrides: + diff@>=8 <9: ^8.0.3 js-yaml@<4: ^3.14.2 jws: ^3.2.3 oclif>@aws-sdk/client-cloudfront: '-' @@ -1617,8 +1618,8 @@ packages: devlop@1.1.0: resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==} - diff@8.0.2: - resolution: {integrity: sha512-sSuxWU5j5SR9QQji/o2qMvqRNYRDOcBTgsJ/DeCf4iSN4gW+gNMXM7wFIP+fdXZxoNiAnHUTGjCr+TSWXdRDKg==} + diff@8.0.3: + resolution: {integrity: sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -4753,7 +4754,7 @@ snapshots: '@rushstack/rig-package': 0.6.0 '@rushstack/terminal': 0.19.5(@types/node@22.5.4) '@rushstack/ts-command-line': 5.1.5(@types/node@22.5.4) - diff: 8.0.2 + diff: 8.0.3 lodash: 4.17.21 minimatch: 10.0.3 resolve: 1.22.8 @@ -6022,7 +6023,7 @@ snapshots: dependencies: dequal: 2.0.3 - diff@8.0.2: {} + diff@8.0.3: {} dir-glob@3.0.1: dependencies: diff --git a/docs/package.json b/docs/package.json index 25b4e900d0c2..7ad7eb9e3f08 100644 --- a/docs/package.json +++ b/docs/package.json @@ -123,10 +123,12 @@ "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).", "node-forge: overridden to ^1.3.2 to fix known ASN.1 vulnerabilities.", - "simple-git: overridden to ^3.32.3 to resolve a CG alert." + "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "diff: overridden to patched version to resolve a known ReDoS vulnerability." ], "overrides": { "@types/react": "^18.3.12", + "diff@>=5 <6": "^5.2.2", "js-yaml@<4": "^3.14.2", "js-yaml@>=4": "^4.1.1", "jws": "^3.2.3", diff --git a/docs/pnpm-lock.yaml b/docs/pnpm-lock.yaml index e7d2798b91d7..11bdd42fe93b 100644 --- a/docs/pnpm-lock.yaml +++ b/docs/pnpm-lock.yaml @@ -6,6 +6,7 @@ settings: overrides: '@types/react': ^18.3.12 + diff@>=5 <6: ^5.2.2 js-yaml@<4: ^3.14.2 js-yaml@>=4: ^4.1.1 jws: ^3.2.3 @@ -3782,8 +3783,8 @@ packages: devlop@1.1.0: resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} dill-cli@0.1.3: @@ -13675,7 +13676,7 @@ snapshots: dependencies: dequal: 2.0.3 - diff@5.2.0: {} + diff@5.2.2: {} dill-cli@0.1.3(typescript@5.5.4): dependencies: @@ -18235,7 +18236,7 @@ snapshots: loader-utils: 2.0.4 neo-async: 2.6.2 schema-utils: 3.3.0 - semver: 7.7.2 + semver: 7.7.4 webpack: 5.96.1 optionalDependencies: sass: 1.81.0 @@ -19276,7 +19277,7 @@ snapshots: uvu@0.5.6: dependencies: dequal: 2.0.3 - diff: 5.2.0 + diff: 5.2.2 kleur: 4.1.5 sade: 1.8.1 diff --git a/experimental/dds/sequence-deprecated/package.json b/experimental/dds/sequence-deprecated/package.json index 4870d1fdc2dc..10dd03221856 100644 --- a/experimental/dds/sequence-deprecated/package.json +++ b/experimental/dds/sequence-deprecated/package.json @@ -109,7 +109,7 @@ "concurrently": "^9.2.1", "copyfiles": "^2.4.1", "cross-env": "^10.1.0", - "diff": "^3.5.0", + "diff": "^4.0.4", "eslint": "~9.39.1", "jiti": "^2.6.1", "mocha": "^11.7.5", diff --git a/package.json b/package.json index 1f2df6018890..6998a29ab39d 100644 --- a/package.json +++ b/package.json @@ -363,10 +363,15 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range.", "systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.", - "simple-git: overridden to ^3.32.3 to resolve a CG alert." + "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x have no fix in their major range so they are bumped to the nearest patched major." ], "overrides": { "@types/node": "~20.19.30", + "diff@>=3 <4": "^4.0.4", + "diff@>=5 <6": "^5.2.2", + "diff@>=7 <8": "^8.0.3", + "diff@>=8 <9": "^8.0.3", "fast-xml-parser": "^4.5.4", "good-fences>nodegit": "npm:empty-npm-package@1.0.0", "qs": "^6.15.0", diff --git a/packages/dds/merge-tree/package.json b/packages/dds/merge-tree/package.json index 54906b779b5e..5d28cd858c61 100644 --- a/packages/dds/merge-tree/package.json +++ b/packages/dds/merge-tree/package.json @@ -164,7 +164,7 @@ "concurrently": "^9.2.1", "copyfiles": "^2.4.1", "cross-env": "^10.1.0", - "diff": "^3.5.0", + "diff": "^4.0.4", "eslint": "~9.39.1", "jiti": "^2.6.1", "mocha": "^11.7.5", diff --git a/packages/dds/sequence/package.json b/packages/dds/sequence/package.json index 7f185978398c..516fefc360d0 100644 --- a/packages/dds/sequence/package.json +++ b/packages/dds/sequence/package.json @@ -181,7 +181,7 @@ "concurrently": "^9.2.1", "copyfiles": "^2.4.1", "cross-env": "^10.1.0", - "diff": "^3.5.0", + "diff": "^4.0.4", "eslint": "~9.39.1", "jiti": "^2.6.1", "mocha": "^11.7.5", diff --git a/packages/dds/tree/package.json b/packages/dds/tree/package.json index 9f0958fcbcdb..5dcb9771753e 100644 --- a/packages/dds/tree/package.json +++ b/packages/dds/tree/package.json @@ -212,7 +212,7 @@ "copyfiles": "^2.4.1", "cross-env": "^10.1.0", "dependency-cruiser": "^17.3.2", - "diff": "^3.5.0", + "diff": "^4.0.4", "easy-table": "^1.2.0", "eslint": "~9.39.1", "eslint-config-prettier": "~10.1.8", diff --git a/packages/framework/dds-interceptions/package.json b/packages/framework/dds-interceptions/package.json index aecdfdc976d3..b46a76f48d1b 100644 --- a/packages/framework/dds-interceptions/package.json +++ b/packages/framework/dds-interceptions/package.json @@ -107,7 +107,7 @@ "concurrently": "^9.2.1", "copyfiles": "^2.4.1", "cross-env": "^10.1.0", - "diff": "^3.5.0", + "diff": "^4.0.4", "eslint": "~9.39.1", "jiti": "^2.6.1", "mocha": "^11.7.5", diff --git a/packages/framework/request-handler/package.json b/packages/framework/request-handler/package.json index aa71890183a7..bb3c189c9147 100644 --- a/packages/framework/request-handler/package.json +++ b/packages/framework/request-handler/package.json @@ -137,7 +137,7 @@ "concurrently": "^9.2.1", "copyfiles": "^2.4.1", "cross-env": "^10.1.0", - "diff": "^3.5.0", + "diff": "^4.0.4", "eslint": "~9.39.1", "jiti": "^2.6.1", "mocha": "^11.7.5", diff --git a/packages/framework/undo-redo/package.json b/packages/framework/undo-redo/package.json index de43046f8eb0..48cf104b9fce 100644 --- a/packages/framework/undo-redo/package.json +++ b/packages/framework/undo-redo/package.json @@ -120,7 +120,7 @@ "concurrently": "^9.2.1", "copyfiles": "^2.4.1", "cross-env": "^10.1.0", - "diff": "^3.5.0", + "diff": "^4.0.4", "eslint": "~9.39.1", "jiti": "^2.6.1", "mocha": "^11.7.5", diff --git a/packages/test/test-utils/package.json b/packages/test/test-utils/package.json index decdf4811e49..748a3cffda9e 100644 --- a/packages/test/test-utils/package.json +++ b/packages/test/test-utils/package.json @@ -154,7 +154,7 @@ "concurrently": "^9.2.1", "copyfiles": "^2.4.1", "cross-env": "^10.1.0", - "diff": "^3.5.0", + "diff": "^4.0.4", "eslint": "~9.39.1", "jiti": "^2.6.1", "mocha": "^11.7.5", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 935daf84a89c..bc04df0c760f 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -21,6 +21,10 @@ catalogs: overrides: '@types/node': ~20.19.30 + diff@>=3 <4: ^4.0.4 + diff@>=5 <6: ^5.2.2 + diff@>=7 <8: ^8.0.3 + diff@>=8 <9: ^8.0.3 fast-xml-parser: ^4.5.4 good-fences>nodegit: npm:empty-npm-package@1.0.0 qs: ^6.15.0 @@ -7232,8 +7236,8 @@ importers: specifier: ^10.1.0 version: 10.1.0 diff: - specifier: ^3.5.0 - version: 3.5.0 + specifier: ^4.0.4 + version: 4.0.4 eslint: specifier: ~9.39.1 version: 9.39.1(jiti@2.6.1) @@ -8670,8 +8674,8 @@ importers: specifier: ^10.1.0 version: 10.1.0 diff: - specifier: ^3.5.0 - version: 3.5.0 + specifier: ^4.0.4 + version: 4.0.4 eslint: specifier: ~9.39.1 version: 9.39.1(jiti@2.6.1) @@ -9097,8 +9101,8 @@ importers: specifier: ^10.1.0 version: 10.1.0 diff: - specifier: ^3.5.0 - version: 3.5.0 + specifier: ^4.0.4 + version: 4.0.4 eslint: specifier: ~9.39.1 version: 9.39.1(jiti@2.6.1) @@ -9693,8 +9697,8 @@ importers: specifier: ^17.3.2 version: 17.3.2 diff: - specifier: ^3.5.0 - version: 3.5.0 + specifier: ^4.0.4 + version: 4.0.4 easy-table: specifier: ^1.2.0 version: 1.2.0 @@ -11374,8 +11378,8 @@ importers: specifier: ^10.1.0 version: 10.1.0 diff: - specifier: ^3.5.0 - version: 3.5.0 + specifier: ^4.0.4 + version: 4.0.4 eslint: specifier: ~9.39.1 version: 9.39.1(jiti@2.6.1) @@ -11956,8 +11960,8 @@ importers: specifier: ^10.1.0 version: 10.1.0 diff: - specifier: ^3.5.0 - version: 3.5.0 + specifier: ^4.0.4 + version: 4.0.4 eslint: specifier: ~9.39.1 version: 9.39.1(jiti@2.6.1) @@ -12414,8 +12418,8 @@ importers: specifier: ^10.1.0 version: 10.1.0 diff: - specifier: ^3.5.0 - version: 3.5.0 + specifier: ^4.0.4 + version: 4.0.4 eslint: specifier: ~9.39.1 version: 9.39.1(jiti@2.6.1) @@ -15398,8 +15402,8 @@ importers: specifier: ^10.1.0 version: 10.1.0 diff: - specifier: ^3.5.0 - version: 3.5.0 + specifier: ^4.0.4 + version: 4.0.4 eslint: specifier: ~9.39.1 version: 9.39.1(jiti@2.6.1) @@ -21031,6 +21035,7 @@ packages: basic-ftp@5.2.0: resolution: {integrity: sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==} engines: {node: '>=10.0.0'} + deprecated: Security vulnerability fixed in 5.2.0, please upgrade batch@0.6.1: resolution: {integrity: sha512-x+VAiMRL6UPkx+kudNvxTl6hB2XNNCG2r+7wixVfIYwu/2HKRXimwQyaumLjMveWvT2Hkd/cAJw+QBMfJ/EKVw==} @@ -22075,24 +22080,16 @@ packages: diff3@0.0.3: resolution: {integrity: sha512-iSq8ngPOt0K53A6eVr4d5Kn6GNrM2nQZtC740pzIriHtn4pOQ2lyzEXQMBeVcWERN0ye7fhBsk9PbLLQOnUx/g==} - diff@3.5.0: - resolution: {integrity: sha512-A46qtFgd+g7pDZinpnwiRJtxbC1hpgf0uzP3iG89scHk0AUC7A1TGxf5OiiOUv/JMZR8GOt8hL900hV0bOy5xA==} - engines: {node: '>=0.3.1'} - diff@4.0.4: resolution: {integrity: sha512-X07nttJQkwkfKfvTPG/KSnE2OMdcUCao6+eXF3wmnIQRn2aPAHH3VxDbDOdegkd6JbPsXqShpvEOHfAT+nCNwQ==} engines: {node: '>=0.3.1'} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} - engines: {node: '>=0.3.1'} - - diff@7.0.0: - resolution: {integrity: sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} - diff@8.0.2: - resolution: {integrity: sha512-sSuxWU5j5SR9QQji/o2qMvqRNYRDOcBTgsJ/DeCf4iSN4gW+gNMXM7wFIP+fdXZxoNiAnHUTGjCr+TSWXdRDKg==} + diff@8.0.3: + resolution: {integrity: sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -27136,6 +27133,7 @@ packages: tar@7.5.11: resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} engines: {node: '>=18'} + deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me temp@0.9.4: resolution: {integrity: sha512-yYrrsWnrXMcdsnu/7YMYAofM1ktpL5By7vZhf15CrXijWWrEYZks5AXBudalfSWJLlnen/QUJUB5aoB0kqZUGA==} @@ -32513,7 +32511,7 @@ snapshots: '@rushstack/rig-package': 0.6.0 '@rushstack/terminal': 0.19.4(@types/node@20.19.30) '@rushstack/ts-command-line': 5.1.4(@types/node@20.19.30) - diff: 8.0.2 + diff: 8.0.3 lodash: 4.17.21 minimatch: 10.0.3 resolve: 1.22.11 @@ -35767,15 +35765,11 @@ snapshots: diff3@0.0.3: {} - diff@3.5.0: {} - diff@4.0.4: {} - diff@5.2.0: {} - - diff@7.0.0: {} + diff@5.2.2: {} - diff@8.0.2: {} + diff@8.0.3: {} dir-glob@3.0.1: dependencies: @@ -39449,7 +39443,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.6.0 debug: 4.4.3(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 @@ -39471,7 +39465,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 4.0.3 debug: 4.4.3(supports-color@8.1.1) - diff: 7.0.0 + diff: 8.0.3 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 10.5.0 @@ -41558,7 +41552,7 @@ snapshots: '@sinonjs/commons': 3.0.1 '@sinonjs/fake-timers': 11.2.2 '@sinonjs/samsam': 8.0.2 - diff: 5.2.0 + diff: 5.2.2 nise: 6.1.1 supports-color: 7.2.0 @@ -41567,7 +41561,7 @@ snapshots: '@sinonjs/commons': 1.8.6 '@sinonjs/formatio': 3.2.2 '@sinonjs/samsam': 3.3.3 - diff: 3.5.0 + diff: 4.0.4 lolex: 4.2.0 nise: 1.5.3 supports-color: 5.5.0 diff --git a/server/gitrest/package.json b/server/gitrest/package.json index 127810fd8485..2d364375616a 100644 --- a/server/gitrest/package.json +++ b/server/gitrest/package.json @@ -83,10 +83,14 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.", "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@fluidframework/eslint-config-fluid": "link:../../common/build/eslint-config-fluid", + "diff@>=5 <6": "^5.2.2", + "diff@>=7 <8": "^8.0.3", + "diff@>=8 <9": "^8.0.3", "@types/node": "^18.17.1", "eslint": "~9.39.2", "jws": "^3.2.3", diff --git a/server/gitrest/pnpm-lock.yaml b/server/gitrest/pnpm-lock.yaml index 4efdd1810f52..319b50e88c75 100644 --- a/server/gitrest/pnpm-lock.yaml +++ b/server/gitrest/pnpm-lock.yaml @@ -6,6 +6,9 @@ settings: overrides: '@fluidframework/eslint-config-fluid': link:../../common/build/eslint-config-fluid + diff@>=5 <6: ^5.2.2 + diff@>=7 <8: ^8.0.3 + diff@>=8 <9: ^8.0.3 '@types/node': ^18.17.1 eslint: ~9.39.2 jws: ^3.2.3 @@ -2083,16 +2086,12 @@ packages: diff3@0.0.3: resolution: {integrity: sha512-iSq8ngPOt0K53A6eVr4d5Kn6GNrM2nQZtC740pzIriHtn4pOQ2lyzEXQMBeVcWERN0ye7fhBsk9PbLLQOnUx/g==} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} - diff@7.0.0: - resolution: {integrity: sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw==} - engines: {node: '>=0.3.1'} - - diff@8.0.2: - resolution: {integrity: sha512-sSuxWU5j5SR9QQji/o2qMvqRNYRDOcBTgsJ/DeCf4iSN4gW+gNMXM7wFIP+fdXZxoNiAnHUTGjCr+TSWXdRDKg==} + diff@8.0.3: + resolution: {integrity: sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -5815,7 +5814,7 @@ snapshots: '@rushstack/rig-package': 0.6.0 '@rushstack/terminal': 0.19.4(@types/node@18.17.7) '@rushstack/ts-command-line': 5.1.4(@types/node@18.17.7) - diff: 8.0.2 + diff: 8.0.3 lodash: 4.17.21 minimatch: 10.0.3 resolve: 1.22.11 @@ -7183,11 +7182,9 @@ snapshots: diff3@0.0.3: {} - diff@5.2.0: {} - - diff@7.0.0: {} + diff@5.2.2: {} - diff@8.0.2: {} + diff@8.0.3: {} dir-glob@3.0.1: dependencies: @@ -8868,7 +8865,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.5.3 debug: 4.4.3(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 @@ -9816,7 +9813,7 @@ snapshots: '@sinonjs/commons': 3.0.1 '@sinonjs/fake-timers': 13.0.5 '@sinonjs/samsam': 8.0.2 - diff: 7.0.0 + diff: 8.0.3 nise: 6.1.1 supports-color: 7.2.0 diff --git a/server/historian/package.json b/server/historian/package.json index 55997595d353..ba7f6e5c7c8f 100644 --- a/server/historian/package.json +++ b/server/historian/package.json @@ -75,10 +75,14 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.", "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@fluidframework/eslint-config-fluid": "link:../../common/build/eslint-config-fluid", + "diff@>=5 <6": "^5.2.2", + "diff@>=7 <8": "^8.0.3", + "diff@>=8 <9": "^8.0.3", "@types/node": "^18.17.1", "eslint": "~9.39.2", "jws": "^3.2.3", diff --git a/server/historian/pnpm-lock.yaml b/server/historian/pnpm-lock.yaml index e620a4213adc..fbe2ea8b7cda 100644 --- a/server/historian/pnpm-lock.yaml +++ b/server/historian/pnpm-lock.yaml @@ -6,6 +6,9 @@ settings: overrides: '@fluidframework/eslint-config-fluid': link:../../common/build/eslint-config-fluid + diff@>=5 <6: ^5.2.2 + diff@>=7 <8: ^8.0.3 + diff@>=8 <9: ^8.0.3 '@types/node': ^18.17.1 eslint: ~9.39.2 jws: ^3.2.3 @@ -2161,16 +2164,12 @@ packages: devlop@1.1.0: resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} - diff@7.0.0: - resolution: {integrity: sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw==} - engines: {node: '>=0.3.1'} - - diff@8.0.2: - resolution: {integrity: sha512-sSuxWU5j5SR9QQji/o2qMvqRNYRDOcBTgsJ/DeCf4iSN4gW+gNMXM7wFIP+fdXZxoNiAnHUTGjCr+TSWXdRDKg==} + diff@8.0.3: + resolution: {integrity: sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -6170,7 +6169,7 @@ snapshots: '@rushstack/rig-package': 0.6.0 '@rushstack/terminal': 0.19.4(@types/node@18.19.3) '@rushstack/ts-command-line': 5.1.4(@types/node@18.19.3) - diff: 8.0.2 + diff: 8.0.3 lodash: 4.17.21 minimatch: 10.0.3 resolve: 1.22.11 @@ -7690,11 +7689,9 @@ snapshots: dependencies: dequal: 2.0.3 - diff@5.2.0: {} - - diff@7.0.0: {} + diff@5.2.2: {} - diff@8.0.2: {} + diff@8.0.3: {} dir-glob@3.0.1: dependencies: @@ -9442,7 +9439,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.5.3 debug: 4.4.3(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 @@ -10499,7 +10496,7 @@ snapshots: '@sinonjs/commons': 3.0.1 '@sinonjs/fake-timers': 13.0.5 '@sinonjs/samsam': 8.0.2 - diff: 7.0.0 + diff: 8.0.3 nise: 6.1.1 supports-color: 7.2.0 diff --git a/server/routerlicious/package.json b/server/routerlicious/package.json index d26173a74cf4..5cfb7e0ee814 100644 --- a/server/routerlicious/package.json +++ b/server/routerlicious/package.json @@ -153,6 +153,7 @@ "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "diff: overridden to patched versions to resolve a known ReDoS vulnerability.", "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { @@ -172,6 +173,9 @@ "@babel/traverse": "7.27.7", "@babel/types": "7.27.7", "@babel/runtime": "7.27.6", + "diff@>=4 <5": "^4.0.4", + "diff@>=5 <6": "^5.2.2", + "diff@>=8 <9": "^8.0.3", "eslint": "^9.39.2", "jws": "^3.2.3", "mongodb>@aws-sdk/credential-providers": "-", diff --git a/server/routerlicious/pnpm-lock.yaml b/server/routerlicious/pnpm-lock.yaml index f88e0529c011..c1b1227ee808 100644 --- a/server/routerlicious/pnpm-lock.yaml +++ b/server/routerlicious/pnpm-lock.yaml @@ -21,6 +21,9 @@ overrides: '@babel/traverse': 7.27.7 '@babel/types': 7.27.7 '@babel/runtime': 7.27.6 + diff@>=4 <5: ^4.0.4 + diff@>=5 <6: ^5.2.2 + diff@>=8 <9: ^8.0.3 eslint: ^9.39.2 jws: ^3.2.3 mongodb>@aws-sdk/credential-providers: '-' @@ -4834,16 +4837,16 @@ packages: diff3@0.0.3: resolution: {integrity: sha512-iSq8ngPOt0K53A6eVr4d5Kn6GNrM2nQZtC740pzIriHtn4pOQ2lyzEXQMBeVcWERN0ye7fhBsk9PbLLQOnUx/g==} - diff@4.0.2: - resolution: {integrity: sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==} + diff@4.0.4: + resolution: {integrity: sha512-X07nttJQkwkfKfvTPG/KSnE2OMdcUCao6+eXF3wmnIQRn2aPAHH3VxDbDOdegkd6JbPsXqShpvEOHfAT+nCNwQ==} engines: {node: '>=0.3.1'} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} - diff@8.0.2: - resolution: {integrity: sha512-sSuxWU5j5SR9QQji/o2qMvqRNYRDOcBTgsJ/DeCf4iSN4gW+gNMXM7wFIP+fdXZxoNiAnHUTGjCr+TSWXdRDKg==} + diff@8.0.3: + resolution: {integrity: sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -10425,7 +10428,7 @@ snapshots: '@rushstack/rig-package': 0.6.0 '@rushstack/terminal': 0.19.4(@types/node@22.19.11) '@rushstack/ts-command-line': 5.1.4(@types/node@22.19.11) - diff: 8.0.2 + diff: 8.0.3 lodash: 4.17.21 minimatch: 10.0.3 resolve: 1.22.10 @@ -12719,11 +12722,11 @@ snapshots: diff3@0.0.3: {} - diff@4.0.2: {} + diff@4.0.4: {} - diff@5.2.0: {} + diff@5.2.2: {} - diff@8.0.2: {} + diff@8.0.3: {} dir-glob@3.0.1: dependencies: @@ -15053,7 +15056,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.5.3 debug: 4.4.0(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 @@ -16544,7 +16547,7 @@ snapshots: '@sinonjs/commons': 3.0.1 '@sinonjs/fake-timers': 11.2.2 '@sinonjs/samsam': 8.0.2 - diff: 5.2.0 + diff: 5.2.2 nise: 6.1.1 supports-color: 7.2.0 @@ -17058,7 +17061,7 @@ snapshots: ts-node@8.10.2(typescript@5.1.6): dependencies: arg: 4.1.3 - diff: 4.0.2 + diff: 4.0.4 make-error: 1.3.6 source-map-support: 0.5.21 typescript: 5.1.6 diff --git a/tools/api-markdown-documenter/package.json b/tools/api-markdown-documenter/package.json index f67fd1c13b2e..1440e8b18b9b 100644 --- a/tools/api-markdown-documenter/package.json +++ b/tools/api-markdown-documenter/package.json @@ -127,9 +127,12 @@ "pnpm": { "commentsOverrides": [ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys)." + "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", + "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3." ], "overrides": { + "diff@>=5 <6": "^5.2.2", + "diff@>=7 <8": "^8.0.3", "js-yaml": "^4.1.1", "qs": "^6.15.0" }, diff --git a/tools/api-markdown-documenter/pnpm-lock.yaml b/tools/api-markdown-documenter/pnpm-lock.yaml index 8eeebe307c8f..8ebfcc878b77 100644 --- a/tools/api-markdown-documenter/pnpm-lock.yaml +++ b/tools/api-markdown-documenter/pnpm-lock.yaml @@ -5,6 +5,8 @@ settings: excludeLinksFromLockfile: false overrides: + diff@>=5 <6: ^5.2.2 + diff@>=7 <8: ^8.0.3 js-yaml: ^4.1.1 qs: ^6.15.0 @@ -1341,12 +1343,12 @@ packages: devlop@1.1.0: resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} - diff@7.0.0: - resolution: {integrity: sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw==} + diff@8.0.3: + resolution: {integrity: sha512-qejHi7bcSD4hQAZE0tNAawRK1ZtafHDmMTMkrrIGgSLl7hTnQHmKCeB45xAcbfTqK2zowkM3j3bHt/4b/ARbYQ==} engines: {node: '>=0.3.1'} dir-compare@5.0.0: @@ -4938,9 +4940,9 @@ snapshots: dependencies: dequal: 2.0.3 - diff@5.2.0: {} + diff@5.2.2: {} - diff@7.0.0: {} + diff@8.0.3: {} dir-compare@5.0.0: dependencies: @@ -6652,7 +6654,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.5.3 debug: 4.4.3(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 @@ -6674,7 +6676,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 4.0.3 debug: 4.4.3(supports-color@8.1.1) - diff: 7.0.0 + diff: 8.0.3 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 10.5.0 diff --git a/tools/benchmark/package.json b/tools/benchmark/package.json index 0cd040a09c67..46bb24fb11dd 100644 --- a/tools/benchmark/package.json +++ b/tools/benchmark/package.json @@ -68,9 +68,11 @@ "unrs-resolver" ], "commentsOverrides": [ - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys)." + "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", + "diff: overridden to patched version to resolve a known ReDoS vulnerability." ], "overrides": { + "diff@>=5 <6": "^5.2.2", "js-yaml": "^4.1.1", "nanoid": "^3.3.9" } diff --git a/tools/benchmark/pnpm-lock.yaml b/tools/benchmark/pnpm-lock.yaml index 596ee12af1b7..fe6985f8ce30 100644 --- a/tools/benchmark/pnpm-lock.yaml +++ b/tools/benchmark/pnpm-lock.yaml @@ -5,6 +5,7 @@ settings: excludeLinksFromLockfile: false overrides: + diff@>=5 <6: ^5.2.2 js-yaml: ^4.1.1 nanoid: ^3.3.9 @@ -622,8 +623,8 @@ packages: defaults@1.0.4: resolution: {integrity: sha512-eFuaLoy/Rxalv2kr+lqMlUnrDWV+3j4pljOIJgLIhI058IQfWJ7vXhyEIHu+HtC738klGALYxOKDO0bQP3tg8A==} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} easy-table@1.2.0: @@ -2038,7 +2039,7 @@ snapshots: clone: 1.0.4 optional: true - diff@5.2.0: {} + diff@5.2.2: {} easy-table@1.2.0: dependencies: @@ -2468,7 +2469,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.6.0 debug: 4.4.1(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0 diff --git a/tools/test-tools/package.json b/tools/test-tools/package.json index d4f49cbcff58..e58e921cc249 100644 --- a/tools/test-tools/package.json +++ b/tools/test-tools/package.json @@ -47,9 +47,11 @@ "packageManager": "pnpm@10.18.3+sha512.bbd16e6d7286fd7e01f6b3c0b3c932cda2965c06a908328f74663f10a9aea51f1129eea615134bf992831b009eabe167ecb7008b597f40ff9bc75946aadfb08d", "pnpm": { "commentsOverrides": [ - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys)." + "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", + "diff: overridden to patched version to resolve a known ReDoS vulnerability." ], "overrides": { + "diff@>=5 <6": "^5.2.2", "js-yaml": "^4.1.1" }, "onlyBuiltDependencies": [ diff --git a/tools/test-tools/pnpm-lock.yaml b/tools/test-tools/pnpm-lock.yaml index 5e39da678789..a5bcf579ffa6 100644 --- a/tools/test-tools/pnpm-lock.yaml +++ b/tools/test-tools/pnpm-lock.yaml @@ -5,6 +5,7 @@ settings: excludeLinksFromLockfile: false overrides: + diff@>=5 <6: ^5.2.2 js-yaml: ^4.1.1 importers: @@ -883,8 +884,8 @@ packages: resolution: {integrity: sha512-TLz+x/vEXm/Y7P7wn1EJFNLxYpUD4TgMosxY6fAVJUnJMbupHBOncxyWUG9OpTaH9EBD7uFI5LfEgmMOc54DsA==} engines: {node: '>=8'} - diff@5.2.0: - resolution: {integrity: sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==} + diff@5.2.2: + resolution: {integrity: sha512-vtcDfH3TOjP8UekytvnHH1o1P4FcUdt4eQ1Y+Abap1tk/OB2MWQvcwS2ClCd1zuIhc3JKOx6p3kod8Vfys3E+A==} engines: {node: '>=0.3.1'} dir-glob@3.0.1: @@ -3358,7 +3359,7 @@ snapshots: detect-newline@3.1.0: {} - diff@5.2.0: {} + diff@5.2.2: {} dir-glob@3.0.1: dependencies: @@ -4295,7 +4296,7 @@ snapshots: browser-stdout: 1.3.1 chokidar: 3.5.3 debug: 4.4.3(supports-color@8.1.1) - diff: 5.2.0 + diff: 5.2.2 escape-string-regexp: 4.0.0 find-up: 5.0.0 glob: 8.1.0