microsoft · frankmueller-msft · Mar 18, 2026 · Mar 14, 2026 · Mar 16, 2026 · Mar 17, 2026
diff --git a/build-tools/package.json b/build-tools/package.json
@@ -155,10 +155,14 @@
 			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
 			"mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).",
 			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
+			"diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.",
 			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)."
 		],
 		"overrides": {
 			"@types/glob>@types/minimatch": "~5.1.2",
+			"diff@>=4 <5": "^4.0.4",
+			"diff@>=7 <8": "^8.0.3",
+			"diff@>=8 <9": "^8.0.3",
 			"@types/node": "^22.19.1",
 			"eslint": "~9.39.2",
 			"json5@<1.0.2": "^1.0.2",

diff --git a/build-tools/pnpm-lock.yaml b/build-tools/pnpm-lock.yaml
diff --git a/build-tools/syncpack.config.cjs b/build-tools/syncpack.config.cjs
@@ -80,6 +80,9 @@ module.exports = {
 			label: "Ignore unsupported pnpm override entries",
 			dependencyTypes: ["pnpmOverrides"],
 			dependencies: [
+				"diff@>=4 <5",
+				"diff@>=7 <8",
+				"diff@>=8 <9",
 				"js-yaml@<4",
 				"js-yaml@>=4",
 				"json5@<1.0.2",

diff --git a/common/build/eslint-config-fluid/package.json b/common/build/eslint-config-fluid/package.json
@@ -79,9 +79,11 @@
 	"pnpm": {
 		"commentsOverrides": [
 			"serialize-javascript - CVE-2024-11831 impacts version 6.0.0 which is pinned by mocha 10.4.0, which in turn comes from mocha-multi-reporters 1.5.1 (which has no updated version at this time)",
-			"js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys)."
+			"js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).",
+			"diff: overridden to patched version to resolve a known ReDoS vulnerability."
 		],
 		"overrides": {
+			"diff@>=5 <6": "^5.2.2",
 			"js-yaml": "^4.1.1",
 			"mocha>serialize-javascript@6.0.0": "^6.0.2"
 		},

diff --git a/common/build/eslint-config-fluid/pnpm-lock.yaml b/common/build/eslint-config-fluid/pnpm-lock.yaml
diff --git a/common/build/eslint-plugin-fluid/package.json b/common/build/eslint-plugin-fluid/package.json
@@ -52,9 +52,11 @@
 		"commentsOverrides": [
 			"validator: overridden to ^13.15.0 to resolve a known vulnerability in older versions (transitive via swagger-tools).",
 			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
-			"js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys)."
+			"js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).",
+			"diff: overridden to patched version to resolve a known ReDoS vulnerability."
 		],
 		"overrides": {
+			"diff@>=5 <6": "^5.2.2",
 			"js-yaml": "^4.1.1",
 			"qs": "^6.15.0",
 			"validator": "^13.15.0"

diff --git a/common/build/eslint-plugin-fluid/pnpm-lock.yaml b/common/build/eslint-plugin-fluid/pnpm-lock.yaml
diff --git a/common/lib/common-utils/package.json b/common/lib/common-utils/package.json
@@ -161,9 +161,13 @@
 			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
 			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
 			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
+			"diff: overridden to patched versions to resolve a known ReDoS vulnerability.",
 			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)."
 		],
 		"overrides": {
+			"diff@>=4 <5": "^4.0.4",
+			"diff@>=5 <6": "^5.2.2",
+			"diff@>=8 <9": "^8.0.3",
 			"js-yaml@<4": "^3.14.2",
 			"js-yaml@>=4": "^4.1.1",
 			"jws": "^3.2.3",

diff --git a/common/lib/common-utils/pnpm-lock.yaml b/common/lib/common-utils/pnpm-lock.yaml
diff --git a/common/lib/protocol-definitions/package.json b/common/lib/protocol-definitions/package.json
@@ -119,6 +119,7 @@
 			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
 			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
 			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
+			"diff: overridden to patched version to resolve a known ReDoS vulnerability.",
 			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)."
 		],
 		"onlyBuiltDependencies": [
@@ -135,6 +136,7 @@
 			]
 		},
 		"overrides": {
+			"diff@>=8 <9": "^8.0.3",
 			"js-yaml@<4": "^3.14.2",
 			"jws": "^3.2.3",
 			"oclif>@aws-sdk/client-cloudfront": "-",

diff --git a/common/lib/protocol-definitions/pnpm-lock.yaml b/common/lib/protocol-definitions/pnpm-lock.yaml
diff --git a/docs/package.json b/docs/package.json
@@ -123,10 +123,12 @@
 			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
 			"mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).",
 			"node-forge: overridden to ^1.3.2 to fix known ASN.1 vulnerabilities.",
-			"simple-git: overridden to ^3.32.3 to resolve a CG alert."
+			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
+			"diff: overridden to patched version to resolve a known ReDoS vulnerability."
 		],
 		"overrides": {
 			"@types/react": "^18.3.12",
+			"diff@>=5 <6": "^5.2.2",
 			"js-yaml@<4": "^3.14.2",
 			"js-yaml@>=4": "^4.1.1",
 			"jws": "^3.2.3",