Commit 8cc273f
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
build(deps): bump diff from 4.0.2 to 8.0.3 (#8476)
Bumps [diff](https://github.com/kpdecker/jsdiff) from 4.0.2 to 8.0.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kpdecker/jsdiff/blob/master/release-notes.md">diff's
changelog</a>.</em></p>
<blockquote>
<h2>8.0.3</h2>
<ul>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/631">#631</a> -
<strong>fix support for using an <code>Intl.Segmenter</code> with
<code>diffWords</code></strong>. This has been almost completely broken
since the feature was added in v6.0.0, since it would outright crash on
any text that featured two consecutive newlines between a pair of words
(a very common case).</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/635">#635</a> -
<strong>small tweaks to tokenization behaviour of
<code>diffWords</code></strong> when used <em>without</em> an
<code>Intl.Segmenter</code>. Specifically, the soft hyphen (U+00AD) is
no longer considered to be a word break, and the multiplication and
division signs (<code>×</code> and <code>÷</code>) are now treated as
punctuation instead of as letters / word characters.</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/641">#641</a> -
<strong>the format of file headers in <code>createPatch</code> etc.
patches can now be customised somewhat</strong>. It now takes a
<code>headerOptions</code> option that can be used to disable the file
headers entirely, or omit the <code>Index:</code> line and/or the
underline. In particular, this was motivated by a request to make jsdiff
patches compatible with react-diff-view, which they now are if produced
with <code>headerOptions: FILE_HEADERS_ONLY</code>.</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/647">#647</a> and
<a href="https://redirect.github.com/kpdecker/jsdiff/pull/649">#649</a>
- <strong>fix denial-of-service vulnerabilities in
<code>parsePatch</code> whereby adversarial input could cause a
memory-leaking infinite loop, typically crashing the calling
process</strong>. Also fixed ReDOS vulnerabilities whereby
adversarially-crafted patch headers could take cubic time to parse. Now,
<code>parsePatch</code> should reliably take linear time. (Handling of
headers that include the line break characters <code>\r</code>,
<code>\u2028</code>, or <code>\u2029</code> in non-trailing positions is
also now more reasonable as side effect of the fix.)</li>
</ul>
<h2>8.0.2</h2>
<ul>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/616">#616</a>
<strong>Restored compatibility of <code>diffSentences</code> with old
Safari versions.</strong> This was broken in 8.0.0 by the introduction
of a regex with a <a
href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Lookbehind_assertion">lookbehind
assertion</a>; these weren't supported in Safari prior to version
16.4.</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/612">#612</a>
<strong>Improved tree shakeability</strong> by marking the built CJS and
ESM packages with <code>sideEffects: false</code>.</li>
</ul>
<h2>8.0.1</h2>
<ul>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/610">#610</a>
<strong>Fixes types for <code>diffJson</code> which were broken by
8.0.0</strong>. The new bundled types in 8.0.0 only allowed
<code>diffJson</code> to be passed string arguments, but it should've
been possible to pass either strings or objects (and now is). Thanks to
Josh Kelley for the fix.</li>
</ul>
<h2>8.0.0</h2>
<ul>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/580">#580</a>
<strong>Multiple tweaks to <code>diffSentences</code></strong>:
<ul>
<li>tokenization no longer takes quadratic time on pathological inputs
(reported as a ReDOS vulnerability by Snyk); is now linear instead</li>
<li>the final sentence in the string is now handled the same by the
tokenizer regardless of whether it has a trailing punctuation mark or
not. (Previously, "foo. bar." tokenized to
<code>["foo.", " ", "bar."]</code> but
"foo. bar" tokenized to <code>["foo.", "
bar"]</code> - i.e. whether the space between sentences was treated
as a separate token depended upon whether the final sentence had
trailing punctuation or not. This was arbitrary and surprising; it is no
longer the case.)</li>
<li>in a string that starts with a sentence end, like "!
hello.", the "!" is now treated as a separate
sentence</li>
<li>the README now correctly documents the tokenization behaviour (it
was wrong before)</li>
</ul>
</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/581">#581</a> -
<strong>fixed some regex operations used for tokenization in
<code>diffWords</code> taking O(n^2) time</strong> in pathological
cases</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/595">#595</a> -
<strong>fixed a crash in patch creation functions when handling a single
hunk consisting of a very large number (e.g. >130k) of
lines</strong>. (This was caused by spreading indefinitely-large arrays
to <code>.push()</code> using <code>.apply</code> or the spread operator
and hitting the JS-implementation-specific limit on the maximum number
of arguments to a function, as shown at <a
href="https://stackoverflow.com/a/56809779/1709587">https://stackoverflow.com/a/56809779/1709587</a>;
thus the exact threshold to hit the error will depend on the environment
in which you were running JsDiff.)</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/596">#596</a> -
<strong>removed the <code>merge</code> function</strong>. Previously
JsDiff included an undocumented function called <code>merge</code> that
was meant to, in some sense, merge patches. It had at least a couple of
serious bugs that could lead to it returning unambiguously wrong
results, and it was difficult to simply "fix" because it was
<a
href="https://redirect.github.com/kpdecker/jsdiff/issues/181#issuecomment-2198319542">unclear
precisely what it was meant to do</a>. For now, the fix is to remove it
entirely.</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/591">#591</a> -
JsDiff's source code has been rewritten in TypeScript. This change
entails the following changes for end users:
<ul>
<li>
<p><strong>the <code>diff</code> package on npm now includes its own
TypeScript type definitions</strong>. Users who previously used the
<code>@types/diff</code> npm package from DefinitelyTyped should remove
that dependency when upgrading JsDiff to v8.</p>
<p>Note that the transition from the DefinitelyTyped types to JsDiff's
own type definitions includes multiple fixes and also removes many
exported types previously used for <code>options</code> arguments to
diffing and patch-generation functions. (There are now different
exported options types for abortable calls - ones with a
<code>timeout</code> or <code>maxEditLength</code> that may give a
result of <code>undefined</code> - and non-abortable calls.) See the
TypeScript section of the README for some usage tips.</p>
</li>
<li>
<p><strong>The <code>Diff</code> object is now a class</strong>. Custom
extensions of <code>Diff</code>, as described in the "Defining
custom diffing behaviors" section of the README, can therefore now
be done by writing a <code>class CustomDiff extends Diff</code> and
overriding methods, instead of the old way based on prototype
inheritance. (I <em>think</em> code that did things the old way should
still work, though!)</p>
</li>
<li>
<p><strong><code>diff/lib/index.es6.js</code> and
<code>diff/lib/index.mjs</code> no longer exist, and the ESM version of
the library is no longer bundled into a single file.</strong></p>
</li>
<li>
<p><strong>The <code>ignoreWhitespace</code> option for
<code>diffWords</code> is no longer included in the type
declarations</strong>. The effect of passing <code>ignoreWhitespace:
true</code> has always been to make <code>diffWords</code> just call
<code>diffWordsWithSpace</code> instead, which was confusing, because
that behaviour doesn't seem properly described as "ignoring"
whitespace at all. The property remains available to non-TypeScript
applications for the sake of backwards compatibility, but TypeScript
applications will now see a type error if they try to pass
<code>ignoreWhitespace: true</code> to <code>diffWords</code> and should
change their code to call <code>diffWordsWithSpace</code> instead.</p>
</li>
<li>
<p>JsDiff no longer purports to support ES3 environments. (I'm pretty
sure it never truly did, despite claiming to in its README, since even
the 1.0.0 release used <code>Array.map</code> which was added in
ES5.)</p>
</li>
</ul>
</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/601">#601</a> -
<strong><code>diffJson</code>'s <code>stringifyReplacer</code> option
behaves more like <code>JSON.stringify</code>'s <code>replacer</code>
argument now.</strong> In particular:
<ul>
<li>Each key/value pair now gets passed through the replacer once
instead of twice</li>
<li>The <code>key</code> passed to the replacer when the top-level
object is passed in as <code>value</code> is now
<code>""</code> (previously, was <code>undefined</code>), and
the <code>key</code> passed with an array element is the array index as
a string, like <code>"0"</code> or <code>"1"</code>
(previously was whatever the key for the entire array was). Both the new
behaviours match that of <code>JSON.stringify</code>.</li>
</ul>
</li>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/602">#602</a> -
<strong>diffing functions now consistently return <code>undefined</code>
when called in async mode</strong> (i.e. with a callback). Previously,
there was an odd quirk where they would return <code>true</code> if the
strings being diffed were equal and <code>undefined</code>
otherwise.</li>
</ul>
<h2>7.0.0</h2>
<p>Just a single (breaking) bugfix, undoing a behaviour change
introduced accidentally in 6.0.0:</p>
<ul>
<li><a
href="https://redirect.github.com/kpdecker/jsdiff/pull/554">#554</a>
<strong><code>diffWords</code> treats numbers and underscores as word
characters again.</strong> This behaviour was broken in v6.0.0.</li>
</ul>
<h2>6.0.0</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/13576bfbcc444ce48f71cfd1e08529bd13962411"><code>13576bf</code></a>
8.0.3 release (<a
href="https://redirect.github.com/kpdecker/jsdiff/issues/652">#652</a>)</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/1179ccb0d31f497449e998a6e67b1b9220565764"><code>1179ccb</code></a>
Ignore .zed (<a
href="https://redirect.github.com/kpdecker/jsdiff/issues/651">#651</a>)</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/949d6e2a44622b15b5a5be3ffcf196869c5a6b4c"><code>949d6e2</code></a>
Add test for the vuln I just fixed (<a
href="https://redirect.github.com/kpdecker/jsdiff/issues/650">#650</a>)</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5"><code>15a1585</code></a>
Fix the second denial-of-service vulnerability in parsePatch (<a
href="https://redirect.github.com/kpdecker/jsdiff/issues/649">#649</a>)</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/de95cca5329730cf9dcdd85c634633693b3ab3db"><code>de95cca</code></a>
Fix potentially cubic-time regex in parsePatch (<a
href="https://redirect.github.com/kpdecker/jsdiff/issues/647">#647</a>)</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/b9aeedef3fe4764c3408b52990767bd7ac0425ab"><code>b9aeede</code></a>
Allow more customisation of file headers in patches (<a
href="https://redirect.github.com/kpdecker/jsdiff/issues/641">#641</a>)</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/43c716c4a38aeb72939e41e7ef353a33615335bf"><code>43c716c</code></a>
Merge pull request <a
href="https://redirect.github.com/kpdecker/jsdiff/issues/636">#636</a>
from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/b8162c77d711e9c17e440e4f62bad7c88fad1a88"><code>b8162c7</code></a>
Bump node-forge from 1.3.1 to 1.3.2</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/ad6dc1728e52e4124abcbf906072eaeaa9e63aea"><code>ad6dc17</code></a>
Fix some bugs in the diffWords regex (and errors & ambiguities in
the comment...</li>
<li><a
href="https://github.com/kpdecker/jsdiff/commit/3e1774afcfadc806baa58ee780923e4d4097319a"><code>3e1774a</code></a>
Fix a comment typo (<a
href="https://redirect.github.com/kpdecker/jsdiff/issues/633">#633</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/kpdecker/jsdiff/compare/v4.0.2...v8.0.3">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~explodingcabbage">explodingcabbage</a>, a
new releaser for diff since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/DevExpress/testcafe/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent 9fc347b commit 8cc273f
2 files changed
+5
-13
lines changedSome generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
97 | 97 | | |
98 | 98 | | |
99 | 99 | | |
100 | | - | |
| 100 | + | |
101 | 101 | | |
102 | 102 | | |
103 | 103 | | |
| |||
0 commit comments