Vulnerability with `diff` package

[Andrea-Filice]

When I execute the standard command: npm install, now in audit I see a vulnerability from npm packages, and is:

diff <8.0.3 jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx fix available via npm audit fix

[ljharb]

That's complaining about an issue in your application, which you can fix by running npm audit fix. It's got nothing to do with npm.

[Andrea-Filice]

I tried audit fix but it doesn’t work obviously, I also tried —-force but nothing to do. I tried to search online and it doesn’t come from my application.

[ljharb]

Then there's nothing you can do; still doesn't have anything to do with npm.

[Andrea-Filice]

It's not my problem, I double check

[ljharb]

what does npm explain diff output? I'd be pretty confident it's pulled in via a dependency of your own project.

[Andrea-Filice]

diff@8.0.2 bundled
node_modules/npm/node_modules/diff
  diff@"^8.0.2" from libnpmdiff@8.0.12
  node_modules/npm/node_modules/libnpmdiff
    bundled libnpmdiff@"^8.0.12" from npm@11.7.0
    node_modules/npm
      npm@"^11.7.0" from the root project

Is not from my application.

[ljharb]

gotcha. in that case you just have to wait until the npm team updates their dependencies and publishes a new release of npm, which is queued up here: #8853

[djeevan-intel]

gotcha. in that case you just have to wait until the npm team updates their dependencies and publishes a new release of npm, which is queued up here: #8853

How can we expedite the new release? Thanks!

[wraithgar]

Update are part of the process for each release, we do not need issues to track them individually.

Additionally, npm itself is not vulnerable in this case. It does not use any of the functions affected. Diff will still be patched in the next release but there is no security concern currently.