High severity security alert: diff dependency
drewwmercer opened this issue · comments
Remediation: Upgrade diff to version 3.5.0 or later.
Current version: 4.0.1
WS-2018-0590: high severity
Vulnerable versions: < 3.5.0
Patched version: 3.5.0
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
package-lock.json currently references vulnerable package v3.3.1
I am on it
Update: The culprit seems to be mocha which requires "diff". There is currently a PR waiting to address that issue and I will check tomorrow whether or not we can update to a patched version of mocha.