Dependency diff (jsdiff) has DoS vulnerability (CVE-2026-24001)

## Summary

`@flydotio/dockerfile` depends on `diff` (jsdiff), which has a denial-of-service vulnerability ([GHSA-73rr-hh4g-fpgx](https://github.com/advisories/GHSA-73rr-hh4g-fpgx), CVE-2026-24001).

## Vulnerability Details

- **Affected methods**: `parsePatch` and `applyPatch`
- **Impact**: Infinite loop and unbounded memory consumption when patch filenames contain `\r`, `\u2028`, or `\u2029` characters. A large payload is not needed to trigger the vulnerability.
- **CVSS**: 2.7 (Low)
- **Patched versions**: `diff@8.0.3`, `5.2.2`, `4.0.4`

## Current state

`@flydotio/dockerfile@>=0.7.5` depends on a vulnerable version of `diff` (6.0.0–8.0.2). Upgrading `diff` to `>=8.0.3` would resolve the issue.

## References

- https://github.com/advisories/GHSA-73rr-hh4g-fpgx
- https://github.com/kpdecker/jsdiff/pull/649

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependency diff (jsdiff) has DoS vulnerability (CVE-2026-24001) #145

Summary

Vulnerability Details

Current state

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Dependency diff (jsdiff) has DoS vulnerability (CVE-2026-24001) #145

Description

Summary

Vulnerability Details

Current state

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions