Skip to content

Bump diff from 5.2.0 to 5.2.2 in /packages/shacl-test#11

Open
dependabot[bot] wants to merge 31 commits intomasterfrom
dependabot/npm_and_yarn/packages/shacl-test/diff-5.2.2
Open

Bump diff from 5.2.0 to 5.2.2 in /packages/shacl-test#11
dependabot[bot] wants to merge 31 commits intomasterfrom
dependabot/npm_and_yarn/packages/shacl-test/diff-5.2.2

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Jan 20, 2026

Bumps diff from 5.2.0 to 5.2.2.

Changelog

Sourced from diff's changelog.

Release Notes

8.0.3

  • #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
  • #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
  • #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
  • #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

8.0.2

  • #616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
  • #612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

8.0.1

  • #610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

8.0.0

  • #580 Multiple tweaks to diffSentences:
    • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
    • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
    • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
    • the README now correctly documents the tokenization behaviour (it was wrong before)
  • #581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
  • #595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
  • #596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.
  • #591 - JsDiff's source code has been rewritten in TypeScript. This change entails the following changes for end users:

    • the diff package on npm now includes its own TypeScript type definitions. Users who previously used the @types/diff npm package from DefinitelyTyped should remove that dependency when upgrading JsDiff to v8.

      Note that the transition from the DefinitelyTyped types to JsDiff's own type definitions includes multiple fixes and also removes many exported types previously used for options arguments to diffing and patch-generation functions. (There are now different exported options types for abortable calls - ones with a timeout or maxEditLength that may give a result of undefined - and non-abortable calls.) See the TypeScript section of the README for some usage tips.

    • The Diff object is now a class. Custom extensions of Diff, as described in the "Defining custom diffing behaviors" section of the README, can therefore now be done by writing a class CustomDiff extends Diff and overriding methods, instead of the old way based on prototype inheritance. (I think code that did things the old way should still work, though!)

    • diff/lib/index.es6.js and diff/lib/index.mjs no longer exist, and the ESM version of the library is no longer bundled into a single file.

    • The ignoreWhitespace option for diffWords is no longer included in the type declarations. The effect of passing ignoreWhitespace: true has always been to make diffWords just call diffWordsWithSpace instead, which was confusing, because that behaviour doesn't seem properly described as "ignoring" whitespace at all. The property remains available to non-TypeScript applications for the sake of backwards compatibility, but TypeScript applications will now see a type error if they try to pass ignoreWhitespace: true to diffWords and should change their code to call diffWordsWithSpace instead.

    • JsDiff no longer purports to support ES3 environments. (I'm pretty sure it never truly did, despite claiming to in its README, since even the 1.0.0 release used Array.map which was added in ES5.)

  • #601 - diffJson's stringifyReplacer option behaves more like JSON.stringify's replacer argument now. In particular:
    • Each key/value pair now gets passed through the replacer once instead of twice
    • The key passed to the replacer when the top-level object is passed in as value is now "" (previously, was undefined), and the key passed with an array element is the array index as a string, like "0" or "1" (previously was whatever the key for the entire array was). Both the new behaviours match that of JSON.stringify.
  • #602 - diffing functions now consistently return undefined when called in async mode (i.e. with a callback). Previously, there was an odd quirk where they would return true if the strings being diffed were equal and undefined otherwise.

7.0.0

Just a single (breaking) bugfix, undoing a behaviour change introduced accidentally in 6.0.0:

  • #554 diffWords treats numbers and underscores as word characters again. This behaviour was broken in v6.0.0.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

rareba added 30 commits December 9, 2025 11:58
@rareba
Fix spex package to use @lindaS dependencies instead of @zazuko
1f04229 
Updated source code imports:
- @zazuko/vue-graph-layout -> @lindas/vue-graph-layout
- @zazuko/env/web -> @lindas/env/web
- @zazuko/prefixes -> @lindas/prefixes

Files changed:
- src/components/data-model/data-model-component.vue
- src/components/ResourcesExplorer.vue
- src/components/shacl-dialog/modal-shacl-load.vue
- src/views/ShaclEditor.vue

Published versions:
- @lindas/vue-graph-layout@0.1.6
- @lindas/spex@0.2.4
@rareba
Update spex to use @lindaS packages instead of @zazuko
05224f2 
Updated source code imports:
- @zazuko/vue-graph-layout -> @lindas/vue-graph-layout
- @zazuko/env/web -> @lindas/env/web
- @zazuko/prefixes -> @lindas/prefixes

Files changed:
- src/components/data-model/data-model-component.vue
- src/components/ResourcesExplorer.vue
- src/components/shacl-dialog/modal-shacl-load.vue
- src/views/ShaclEditor.vue
- packages/vocabulary-extras-builders/package.json (generate script)
@rareba
Fix async/await in shorten-report.js for createPlaygroundUrl
ac43ec3
@rareba
Bump @lindas/shacl-test to 0.1.3
c3d027e
@rareba
Add rdf-parser-csvw-xlsx and fix clownface for monorepo
c7cc1f6 
- Add @lindas/rdf-parser-csvw-xlsx package (forked from @zazuko/rdf-parser-csvw-xlsx)
- Update clownface package.json:
  - Rename from lindas-clownface to @lindas/clownface
  - Point repository to lindas-stack-libraries monorepo
  - Remove husky configuration (not needed in monorepo)
  - Add publishConfig for public access
@rareba
Fix security vulnerabilities in rdf-parser-csvw-xlsx and vue-graph-la…
4e4ef97 
…yout

Security fixes:
- Replace xlsx library with exceljs in rdf-parser-csvw-xlsx to fix:
  - Prototype Pollution vulnerability (GHSA-4r6h-8v6p-xvw6)
  - ReDoS vulnerability (GHSA-5pgg-2g8v-p4x9)
- Migrate vue-graph-layout from Vue CLI to Vite to fix:
  - webpack-dev-server source code theft vulnerability
  - Multiple other webpack-dev-server vulnerabilities

Other improvements:
- Fix Windows path handling in tests using fileURLToPath
- Bump @lindas/env-node to ^3.0.2
- All 8 tests pass with exceljs implementation
@rareba
Fix vue-graph-layout build with ESM-compatible config files
20f6824 
Renamed config files to use .cjs extension for CommonJS compatibility:
- postcss.config.js -> postcss.config.cjs
- tailwind.config.js -> tailwind.config.cjs
- babel.config.js -> Removed (not needed with Vite)

This fixes the build failure caused by module.exports being used
in an ES module context (package.json has "type": "module").

Build now succeeds with Vite producing:
- vue-graph-layout.js (9.90 kB)
- vue-graph-layout.umd.cjs (7.12 kB)
- vue-graph-layout.css (0.49 kB)
@rareba
Convert clownface from submodule to regular package files
8ea3e5f
@rareba
Fix @lindas/env browser compatibility by using readable-stream and ut…
233b9ff 
…il polyfills
@rareba
Fix @lindas/shacl-test line endings and permissions for Linux compati…
3ba5095 
…bility
@rareba
Fix shacl-test scripts to use explicit node and bash commands for npm…
decbeb3 
… compatibility
@rareba
Fix approvals flag quoting to prevent empty string argument
af5d4ae
@rareba
Fix security vulnerabilities by replacing vulnerable xlsx dependency
e964954 
- Added npm override to replace @zazuko/rdf-parser-csvw-xlsx (uses vulnerable
  xlsx) with @lindas/rdf-parser-csvw-xlsx (uses safe exceljs)
- Resolves GHSA-4r6h-8v6p-xvw6 (Prototype Pollution in sheetJS)
- Resolves GHSA-5pgg-2g8v-p4x9 (ReDoS in sheetJS)
- npm audit now reports 0 vulnerabilities
@rareba
Fix TypeScript module resolution and update CI workflows
4afb108 
- Add proper exports with types for @lindas/env subpath exports
  (./web.js, ./Environment.js, etc.)
- Update CI and release workflows to use --legacy-peer-deps
- Support both main and master branches
- Exclude test directory from TypeScript compilation in rdf-parser-csvw-xlsx
- Remove compiled test files from repository
@rareba
Publish packages @lindas/env@3.0.5 and @lindas/env-node@3.0.3
1d684de 
Published to npm with fixed TypeScript module exports.
@rareba
Add basic tests and configure automated npm publishing
5453070 
- Add test suites for prefixes, vocabulary-loader, vocabulary-extras, vocabulary-extras-builders
- Add mocha configuration for TypeScript tests
- Add placeholder test scripts for UI packages (yasgui, yasr, yasqe, spex, shacl-test)
- Configure changesets with README documentation
- Add ts-node for TypeScript test support
@rareba
Fix TypeScript test type errors in rdf-parser-csvw-xlsx
2a25f7a 
- Add type assertions for streamToArray results
- Fix factory type compatibility
- Add eslint-disable comments for necessary any types
@rareba
Update wait-on to v9 for Node 22 compatibility
8c43c72 
- wait-on@6 uses axios internal paths that don't work with Node 22
- Update to wait-on@9.0.3 which is compatible
@rareba
Add docker-compose setup to CI workflow
d9ba42b 
The cube-hierarchy-query tests require docker-compose to start Fuseki
(SPARQL server) for integration tests.
@rareba
Fix snapshot test name for renamed package
390cc19 
Updated snapshot key from @zazuko/cube-hierarchy-query to
@lindas/cube-hierarchy-query to match the renamed package.
@rareba
Add docker-compose setup to Release workflow
f0c863c 
Same fix as CI workflow - cube-hierarchy-query tests require
docker-compose to start Fuseki for integration tests.
@rareba
Combine CI and Release workflows into single pipeline
601dba5 
- Tests run first on Node 18, 20, 22
- Security audit runs in parallel (non-blocking)
- Release job runs after tests pass (only on push to main/master)
- Added concurrency control to cancel outdated runs
@rareba
Add docker-compose to release job
fae60b6 
Changesets action runs tests internally which need docker-compose
for cube-hierarchy-query integration tests.
@rareba
Fix @lindas/shacl-test line endings and permissions for Linux compati…
af114d3 
…bility
@rareba
Add webpack build for yasgui and increase max response size
803b6ab 
- Add webpack configuration for building yasgui packages
- Add tsconfig files for TypeScript compilation
- Increase maxPersistentResponseSize from 100KB to 10MB in yasr defaults
- Add build scripts for yasgui bundle generation
@rareba
Add CHANGELOG.md for tracking repository changes
9f22477
@rareba
Fix bundler compatibility issues in env and env-core packages
8ae475b 
- Downgrade get-stream from ^9.0.1 to ^8.0.0 in @lindas/env to fix
  Angular/esbuild bundler compatibility issue caused by
  @sec-ant/readable-stream async generator patterns
- Add comprehensive proxy traps to extend() function in @lindas/env-core:
  getPrototypeOf, setPrototypeOf, isExtensible, preventExtensions,
  defineProperty, deleteProperty
- Clean up debug logging from extend.js and Environment.js
- Update changelogs
@rareba
Add @lindas/formats-lazy package for browser-compatible RDF parsing
cf45502 
- Fork of @zazuko/formats-lazy v1.0.2
- Provides lazy-loaded RDF parsers and serializers
- Uses @rdfjs/parser-n3, @rdfjs/parser-jsonld, rdfxml-streaming-parser
- Does not depend on @graphy/* packages which require Node.js crypto
- Browser-compatible alternative to @rdfjs-elements/formats-pretty
@rareba
Fix TypeScript type declarations in @lindas/formats-lazy
7eb48ec 
- Fixed malformed SinkMap generic types in index.d.ts
- Properly import EventEmitter from events and Stream from @rdfjs/types
- Fixes TS2345 error when using env.formats.import(formats)
@rareba
Bump @lindas/formats-lazy to 1.0.2
d575dec
@dependabot
Bump diff from 5.2.0 to 5.2.2 in /packages/shacl-test
319498f 
Bumps [diff](https://github.com/kpdecker/jsdiff) from 5.2.0 to 5.2.2.
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2)

---
updated-dependencies:
- dependency-name: diff
  dependency-version: 5.2.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rareba