Vulnerable disparity dependency

[mcandre]

Please update or replace the "disparity" dependency, which GitHub reports as vulnerable due to its early diff Node.js package sub-dependency.

https://github.com/millermedeiros/disparity/issues/3

https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0

Alternatives:

• erte appears to be secure at the moment, but does not support unified diff format.
• unidiff supports unified diff format, but does not support colorization.
• Finally, the core diff package supports many of these features out of the box and doesn't requite quite so many Node.js wrapper packages as we've been using.

One option would be to temporarily drop support for colors, treating the option as a NO-OP. This would allow a rapid security patch to be released, and then we can examine how to add back color support once a secure color diff dependency becomes available.

[mcandre]

As a quick workaround, I am publishing "esformatter2" with all diff features temporarily removed:

https://www.npmjs.com/package/esformatter2

[ruyadorno]

fixed in v0.11.2

[ruyadorno]

@mcandre thanks for the heads up!

I'd just like to mention that publishing a esformatter2 on npm can be very misleading, I would suggest next time you fork a project to use a suffix instead so that it will be friendlier for people looking up on npm search, eg: esformatter-nodisparity or something similar 👍