Vulnerability with `diff` package

[Andrea-Filice]

When I execute the standard command: npm install, now in audit I see a vulnerability from npm packages, and is:

diff <8.0.3 jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx fix available via npm audit fix

[ljharb]

That's complaining about an issue in your application, which you can fix by running npm audit fix. It's got nothing to do with npm.

[Andrea-Filice]

I tried audit fix but it doesn’t work obviously, I also tried —-force but nothing to do. I tried to search online and it doesn’t come from my application.

[ljharb]

Then there's nothing you can do; still doesn't have anything to do with npm.

[Andrea-Filice]

It's not my problem, I double check

[ljharb]

what does npm explain diff output? I'd be pretty confident it's pulled in via a dependency of your own project.

[Andrea-Filice]

diff@8.0.2 bundled
node_modules/npm/node_modules/diff
  diff@"^8.0.2" from libnpmdiff@8.0.12
  node_modules/npm/node_modules/libnpmdiff
    bundled libnpmdiff@"^8.0.12" from npm@11.7.0
    node_modules/npm
      npm@"^11.7.0" from the root project

Is not from my application.

[ljharb]

gotcha. in that case you just have to wait until the npm team updates their dependencies and publishes a new release of npm, which is queued up here: #8853