Remediation: Upgrade diff to version 3.5.0 or later.

Current version: 4.0.1

WS-2018-0590: high severity
Vulnerable versions: < 3.5.0
Patched version: 3.5.0

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

package-lock.json currently references vulnerable package v3.3.1

I am on it

Update: The culprit seems to be mocha which requires "diff". There is currently a PR waiting to address that issue and I will check tomorrow whether or not we can update to a patched version of mocha.