Transitive dependency: diff@8.0.2 DoS fix available upstream

[thomasturrell]

Following on from #5607.

There is a published security advisory for diff:
GHSA-73rr-hh4g-fpgx (DoS in parsePatch via crafted input)

The issue is fixed upstream in jsdiff PR #649 and released in diff@>=8.0.3:

Mocha currently appears to resolve diff@8.0.2, so this is just to flag that a fixed version is available upstream if/when you’re next updating this dependency.

I appreciate this is likely low severity in practice, but it does surface in audit tooling and CI.

[voxpelli]

We support any 8.x version that is at least 8.0.2, so only change would be to bump lowest version, but one can also do a fresh install or one of the variants of lockfile maintenance to get the new version so we're not really blocking anyone, it would simply be a convenience help for people

[thomasturrell]

We support any 8.x version that is at least 8.0.2, so only change would be to bump lowest version, but one can also do a fresh install or one of the variants of lockfile maintenance to get the new version so we're not really blocking anyone, it would simply be a convenience help for people

Thank you.

Would you welcome a PR for this issue from me?

[mark-wiemer]

Ref #5650, to be clear this vulnerability does not affect Mocha. That said, we're always happy to update our dependencies, but it's easier said than done (#5606). PRs are welcome :)

[mark-wiemer]

See also #5070

[mark-wiemer]

Incremental PRs are welcome on #5070, they don't have to close the entire issue!