From a960cbe8aaa33e7fcace28c72a3e89d6583e29ac Mon Sep 17 00:00:00 2001
From: genisis0x <manietdavv@gmail.com>
Date: Tue, 19 May 2026 13:34:31 +0530
Subject: [PATCH] fix(deps): bump diff to ^9.0.0 to clear GHSA-73rr-hh4g-fpgx
 (#1588)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`npm audit` flags diff@7.0.0 with a low-severity DoS in
parsePatch/applyPatch (GHSA-73rr-hh4g-fpgx, affected 6.0.0–8.0.2,
fixed in 9.0.0). gstack uses diff against local content the user
controls so practical risk is low, but the advisory surfaces on every
audit pass and blocks clean supply-chain runs for users vendoring
gstack.

The 9.0.0 breaking changes only touch parsePatch / applyPatch /
createPatch and the ESM/CJS exports. Both call sites in this repo
(browse/src/snapshot.ts:568, browse/src/meta-commands.ts:712) use
`Diff.diffLines`, whose signature and return shape are unchanged in
v9, so this is a no-op at runtime.
---
 bun.lock     | 4 ++--
 package.json | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bun.lock b/bun.lock
index 96fda00aaa..2f98e65ecc 100644
--- a/bun.lock
+++ b/bun.lock
@@ -7,7 +7,7 @@
       "dependencies": {
         "@huggingface/transformers": "^4.1.0",
         "@ngrok/ngrok": "^1.7.0",
-        "diff": "^7.0.0",
+        "diff": "^9.0.0",
         "marked": "^18.0.2",
         "playwright": "^1.58.2",
         "puppeteer-core": "^24.40.0",
@@ -244,7 +244,7 @@
 
     "devtools-protocol": ["devtools-protocol@0.0.1581282", "", {}, "sha512-nv7iKtNZQshSW2hKzYNr46nM/Cfh5SEvE2oV0/SEGgc9XupIY5ggf84Cz8eJIkBce7S3bmTAauFD6aysMpnqsQ=="],
 
-    "diff": ["diff@7.0.0", "", {}, "sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw=="],
+    "diff": ["diff@9.0.0", "", {}, "sha512-svtcdpS8CgJyqAjEQIXdb3OjhFVVYjzGAPO8WGCmRbrml64SPw/jJD4GoE98aR7r25A0XcgrK3F02yw9R/vhQw=="],
 
     "dunder-proto": ["dunder-proto@1.0.1", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } }, "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A=="],
 
diff --git a/package.json b/package.json
index 3851a78bd7..66b72befbf 100644
--- a/package.json
+++ b/package.json
@@ -45,7 +45,7 @@
   "dependencies": {
     "@huggingface/transformers": "^4.1.0",
     "@ngrok/ngrok": "^1.7.0",
-    "diff": "^7.0.0",
+    "diff": "^9.0.0",
     "marked": "^18.0.2",
     "playwright": "^1.58.2",
     "puppeteer-core": "^24.40.0",