Update diff dependency to fix GHSA-73rr-hh4g-fpgx DoS vulnerability

[Copilot]

The diff package versions prior to 8.0.3 contain a DoS vulnerability (GHSA-73rr-hh4g-fpgx) where parsePatch and applyPatch can enter infinite loops or exhibit O(n³) performance when parsing patches with malformed filename headers containing line break characters.

Changes

• Updated diff from ^5.2.0 to ^8.0.3 in @textlint/fixer-formatter
• Removed @types/diff dependency (diff 8.x includes native TypeScript types)

The package uses only diffLines from the diff API, which remains compatible across versions.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Vulnerable diff dependency in @textlint/fixer-formatter</issue_title>
<issue_description>Hi,
thanks for supporting textlint :)

By running npm audit after installing the latest textlint version (15.5.0), it appears that it installs a vulnerable version of diff:

# npm audit report

diff  <8.0.3
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install renovate@31.13.3, which is a breaking change
node_modules/diff
  @textlint/fixer-formatter  *
  Depends on vulnerable versions of diff
  node_modules/@textlint/fixer-formatter
    textlint  >=10.1.3
    Depends on vulnerable versions of @textlint/fixer-formatter
    node_modules/textlin

Updating using npm audit fix is not possible because of the dependency constraints:

textlint/packages/@textlint/fixer-formatter/package.json

Lines 41 to 51 in baa7d35

	"dependencies": {
	"@textlint/module-interop": "workspace:*",
	"@textlint/resolver": "workspace:*",
	"@textlint/types": "workspace:*",
	"chalk": "^4.1.2",
	"debug": "^4.4.3",
	"diff": "^5.2.0",
	"string-width": "^4.2.3",
	"strip-ansi": "^6.0.1",
	"text-table": "^0.2.0"
	},

Would it be possible to release a new version that uses diff >= 8.0.3, that according to GHSA-73rr-hh4g-fpgx, mitigates the vulnerability?

thanks!</issue_description>

<agent_instructions>Update diff and fix this issue and pass test</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Vulnerable diff dependency in @textlint/fixer-formatter #1899

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[azu]

@copilot tell me summary of diff changelogs

[azu]

https://github.com/kpdecker/jsdiff/blob/master/release-notes.md

[Copilot]

@copilot tell me summary of diff changelogs

Here's a summary of diff changelogs from v5.2.0 to v8.0.3:

Major Changes by Version

v6.0.0 (Breaking changes):

• diffWords: Radically changed to no longer treat whitespace as tokens by default, providing more intuitive diffing
• diffChars: Now diffs Unicode code points instead of UTF-16 code units
• parsePatch: Always runs in strict mode (previously optional)
• Change objects now guarantee added/removed properties are booleans
• TypeScript type definitions officially added
• Deprecated diffTrimmedLines (use diffLines with ignoreWhitespace: true)

v7.0.0 (Breaking):

• Fixed diffWords regression: numbers and underscores treated as word characters again

v8.0.0 (Breaking):

• Rewritten in TypeScript - now includes built-in type definitions (no need for @types/diff)
• Diff is now a class (can extend via class CustomDiff extends Diff)
• Removed undocumented merge function
• Multiple ReDOS fixes in diffSentences and diffWords
• ESM support added alongside CommonJS

v8.0.3 (Security fix):

• Fixed DoS vulnerabilities in parsePatch (GHSA-73rr-hh4g-fpgx) - infinite loop and cubic-time ReDOS attacks now prevented

Impact on textlint

The package only uses diffLines which remains backward compatible. The main benefit is the security fix and built-in TypeScript types (removing the need for @types/diff).

[Copilot]

Pull request overview

This pull request updates the diff dependency from version ^5.2.0 to ^8.0.3 in the @textlint/fixer-formatter package to address a Denial of Service (DoS) vulnerability (GHSA-73rr-hh4g-fpgx). The vulnerability affects versions prior to 8.0.3, where parsePatch and applyPatch functions can enter infinite loops or exhibit O(n³) performance with malformed filename headers.

Changes:

• Updated diff dependency from ^5.2.0 to ^8.0.3 in @textlint/fixer-formatter
• Removed @types/diff dependency as diff 8.x includes native TypeScript types

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
packages/@textlint/fixer-formatter/package.json	Updated diff to ^8.0.3 and removed @types/diff from devDependencies
pnpm-lock.yaml	Updated lockfile to reflect new diff version (8.0.3) and removed @types/diff references

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[azu]

lgtm