From 74f624c170ffb55ea60a670c3b4833eb2e0b3421 Mon Sep 17 00:00:00 2001 From: Mark Amery Date: Tue, 26 May 2026 15:50:15 +0100 Subject: [PATCH 1/2] Improve CONTRIBUTING.md --- CONTRIBUTING.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 320bd00e..8b8b12a4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,3 +1,17 @@ +# Contributing + +jsdiff was originally written by Kevin Decker (https://github.com/kpdecker) but is presently maintained by Mark Amery (https://github.com/ExplodingCabbage) (henceforth "I"). + +Please post bug reports and feature requests at https://github.com/kpdecker/jsdiff/issues. + +In particular, also feel free to post bugs that could amount to denial-of-service vulnerabilities as public issues. jsdiff has had a handful of such vulnerabilities in the past, caused by bugs where some function has extremely bad time complexity on adversarial input, or in one case a bug whereby adversarial input to `parsePatch` could cause it to go into an infinite loop consuming memory without bound until the JavaScript runtime crashed. I have never heard of them being exploited in the wild, and am generally of the view that denial-of-service vulnerabilities in libraries are typically not especially serious and do not warrant the careful private disclosure that is properly applied to more serious vulnerabilities - so please just chuck them on the public issue tracker. (All that notwithstanding, I will still try to fix them promptly when reported.) + +In the extremely unlikely scenario that you find something more serious than a denial-of-service vulnerability (though I can't even imagine what this would be), please *do* keep it private and reach out to me and Kevin via the email addresses listed in `package.json`. + +PRs are welcome (https://github.com/kpdecker/jsdiff/pulls). PRs with tests are even welcomer. I often reject them if I decide I prefer a slightly different approach, though, so the chance of wasting work is high. + +(I don't promise to address absolutely *everything* but since taking over maintainership from Kevin I have cleaned up the majority of issues and PRs.) + ## Building and testing ``` @@ -10,7 +24,7 @@ To run tests in a *browser* (for instance to test compatibility with Firefox, wi If you notice any problems, please report them to the GitHub issue tracker at [http://github.com/kpdecker/jsdiff/issues](http://github.com/kpdecker/jsdiff/issues). -## Releasing +## Releasing (maintainers only) Run a test in Firefox via the procedure above before releasing. From ef001d0fa0b72137af28f4926129c376e2726f9a Mon Sep 17 00:00:00 2001 From: Mark Amery Date: Tue, 26 May 2026 16:06:44 +0100 Subject: [PATCH 2/2] Slim it down --- CONTRIBUTING.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8b8b12a4..76937fa1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -4,14 +4,12 @@ jsdiff was originally written by Kevin Decker (https://github.com/kpdecker) but Please post bug reports and feature requests at https://github.com/kpdecker/jsdiff/issues. -In particular, also feel free to post bugs that could amount to denial-of-service vulnerabilities as public issues. jsdiff has had a handful of such vulnerabilities in the past, caused by bugs where some function has extremely bad time complexity on adversarial input, or in one case a bug whereby adversarial input to `parsePatch` could cause it to go into an infinite loop consuming memory without bound until the JavaScript runtime crashed. I have never heard of them being exploited in the wild, and am generally of the view that denial-of-service vulnerabilities in libraries are typically not especially serious and do not warrant the careful private disclosure that is properly applied to more serious vulnerabilities - so please just chuck them on the public issue tracker. (All that notwithstanding, I will still try to fix them promptly when reported.) +In particular, also feel free to post bugs that could amount to denial-of-service vulnerabilities as public issues. jsdiff has had a handful of such vulnerabilities in the past, often caused by bugs where some function has bad time complexity on adversarial input. I have never heard of them being exploited in the wild and do not consider their security implications particularly serious - so please just chuck them on the public issue tracker rather than disclosing privately. (All that notwithstanding, I will still try to fix them promptly when reported.) In the extremely unlikely scenario that you find something more serious than a denial-of-service vulnerability (though I can't even imagine what this would be), please *do* keep it private and reach out to me and Kevin via the email addresses listed in `package.json`. PRs are welcome (https://github.com/kpdecker/jsdiff/pulls). PRs with tests are even welcomer. I often reject them if I decide I prefer a slightly different approach, though, so the chance of wasting work is high. -(I don't promise to address absolutely *everything* but since taking over maintainership from Kevin I have cleaned up the majority of issues and PRs.) - ## Building and testing ```