Skip to content
This repository has been archived by the owner on Mar 25, 2021. It is now read-only.

Security vulnerability for diff #4783

Closed
prabirshrestha opened this issue Jul 3, 2019 · 0 comments · Fixed by #4845
Closed

Security vulnerability for diff #4783

prabirshrestha opened this issue Jul 3, 2019 · 0 comments · Fixed by #4845
Labels
Status: Accepting PRs Type: Bug

Comments

@prabirshrestha
Copy link

https://bugzilla.redhat.com/show_bug.cgi?id=1552148

It was found that affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 48K characters long.

Upstream patch is kpdecker/jsdiff@2aec429 which is available in >3.5.0

Is it possible to update the diff package from ^3.2.0 to >= 3.5.0?

Though tslint is used as a tool and we won't have ReDoS it would be good to get this fixed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Status: Accepting PRs Type: Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade diff to 3.5.0
2 participants
@prabirshrestha @JoshuaKGoldberg