fix(core): prevent hangs due to degenerate lockfile diff (#4453)

* Upgrade diff to 5.0.0

* Add maxEditLength to lockfile patch. Fixes #4405.

* Prepare fix for release

* Upgrade diff to 5.1.0

* Re-resolve typescript 4.7.0-beta from npmjs.org

* chore: versions

Co-authored-by: Tony Spataro <[email protected]>
Co-authored-by: merceyz <[email protected]>

.yarn/versions/ff82837d.yml

@@ -0,0 +1,34 @@
+releases:
+  "@yarnpkg/cli": patch
+  "@yarnpkg/core": patch
+  "@yarnpkg/plugin-interactive-tools": patch
+
+declined:
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/plugin-constraints"
+  - "@yarnpkg/plugin-dlx"
+  - "@yarnpkg/plugin-essentials"
+  - "@yarnpkg/plugin-exec"
+  - "@yarnpkg/plugin-file"
+  - "@yarnpkg/plugin-git"
+  - "@yarnpkg/plugin-github"
+  - "@yarnpkg/plugin-http"
+  - "@yarnpkg/plugin-init"
+  - "@yarnpkg/plugin-link"
+  - "@yarnpkg/plugin-nm"
+  - "@yarnpkg/plugin-npm"
+  - "@yarnpkg/plugin-npm-cli"
+  - "@yarnpkg/plugin-pack"
+  - "@yarnpkg/plugin-patch"
+  - "@yarnpkg/plugin-pnp"
+  - "@yarnpkg/plugin-pnpm"
+  - "@yarnpkg/plugin-stage"
+  - "@yarnpkg/plugin-typescript"
+  - "@yarnpkg/plugin-version"
+  - "@yarnpkg/plugin-workspace-tools"
+  - "@yarnpkg/builder"
+  - "@yarnpkg/doctor"
+  - "@yarnpkg/extensions"
+  - "@yarnpkg/nm"
+  - "@yarnpkg/pnpify"
+  - "@yarnpkg/sdks"

packages/plugin-interactive-tools/package.json

@@ -7,7 +7,7 @@
     "@yarnpkg/libui": "workspace:^",
     "algoliasearch": "^4.2.0",
     "clipanion": "^3.2.0-rc.10",
-    "diff": "^4.0.1",
+    "diff": "^5.1.0",
     "ink": "^3.0.8",
     "ink-text-input": "^4.0.1",
     "react": "^16.13.1",
@@ -20,7 +20,7 @@
     "@yarnpkg/plugin-essentials": "workspace:^"
   },
   "devDependencies": {
-    "@types/diff": "^4.0.2",
+    "@types/diff": "^5.0.0",
     "@types/react": "^16.8.0",
     "@types/semver": "^7.1.0",
     "@yarnpkg/builder": "workspace:^",

packages/yarnpkg-core/package.json

@@ -17,7 +17,7 @@
     "ci-info": "^3.2.0",
     "clipanion": "^3.2.0-rc.10",
     "cross-spawn": "7.0.3",
-    "diff": "^4.0.1",
+    "diff": "^5.1.0",
     "globby": "^11.0.1",
     "got": "^11.7.0",
     "lodash": "^4.17.15",
@@ -35,7 +35,7 @@
     "@rollup/plugin-commonjs": "^21.0.1",
     "@rollup/plugin-node-resolve": "^11.0.1",
     "@types/cross-spawn": "6.0.0",
-    "@types/diff": "^4.0.2",
+    "@types/diff": "^5.0.0",
     "@types/lodash": "^4.14.136",
     "@types/micromatch": "^4.0.1",
     "@types/node": "^13.7.0",

packages/yarnpkg-core/sources/Project.ts

@@ -1568,24 +1568,27 @@ export class Project {
         const newLockfile = normalizeLineEndings(initialLockfile, this.generateLockfile());
 
         if (newLockfile !== initialLockfile) {
-          const diff = structuredPatch(lockfilePath, lockfilePath, initialLockfile, newLockfile);
-
-          opts.report.reportSeparator();
-
-          for (const hunk of diff.hunks) {
-            opts.report.reportInfo(null, `@@ -${hunk.oldStart},${hunk.oldLines} +${hunk.newStart},${hunk.newLines} @@`);
-            for (const line of hunk.lines) {
-              if (line.startsWith(`+`)) {
-                opts.report.reportError(MessageName.FROZEN_LOCKFILE_EXCEPTION, formatUtils.pretty(this.configuration, line, formatUtils.Type.ADDED));
-              } else if (line.startsWith(`-`)) {
-                opts.report.reportError(MessageName.FROZEN_LOCKFILE_EXCEPTION, formatUtils.pretty(this.configuration, line, formatUtils.Type.REMOVED));
-              } else {
-                opts.report.reportInfo(null, formatUtils.pretty(this.configuration, line, `grey`));
+          // @ts-expect-error 2345 need to upgrade to diff 5.0.1 or apply patch in yarn's monorepo
+          const diff = structuredPatch(lockfilePath, lockfilePath, initialLockfile, newLockfile, undefined, undefined, {maxEditLength: 100});
+
+          if (diff) {
+            opts.report.reportSeparator();
+
+            for (const hunk of diff.hunks) {
+              opts.report.reportInfo(null, `@@ -${hunk.oldStart},${hunk.oldLines} +${hunk.newStart},${hunk.newLines} @@`);
+              for (const line of hunk.lines) {
+                if (line.startsWith(`+`)) {
+                  opts.report.reportError(MessageName.FROZEN_LOCKFILE_EXCEPTION, formatUtils.pretty(this.configuration, line, formatUtils.Type.ADDED));
+                } else if (line.startsWith(`-`)) {
+                  opts.report.reportError(MessageName.FROZEN_LOCKFILE_EXCEPTION, formatUtils.pretty(this.configuration, line, formatUtils.Type.REMOVED));
+                } else {
+                  opts.report.reportInfo(null, formatUtils.pretty(this.configuration, line, `grey`));
+                }
               }
             }
-          }
 
-          opts.report.reportSeparator();
+            opts.report.reportSeparator();
+          }
 
           throw new ReportError(MessageName.FROZEN_LOCKFILE_EXCEPTION, `The lockfile would have been modified by this install, which is explicitly forbidden.`);
         }

yarn.lock

@@ -4113,10 +4113,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@types/diff@npm:^4.0.2":
-  version: 4.0.2
-  resolution: "@types/diff@npm:4.0.2"
-  checksum: 6f1b4bd81801b138a6fcba89779a37ea26fea700c53a469a31baf49f390fada3155fba9277f1c22a52ea4ae92cb0b5ff7bb56e98ee9828dc3bf2aaa2dc96fdbf
+"@types/diff@npm:^5.0.0":
+  version: 5.0.2
+  resolution: "@types/diff@npm:5.0.2"
+  checksum: 641974ed83c32aa6d8f4b23d3f272fc8349ac77c073d45b32c7eec11c9081f05350f6de764d15fc6c2c90f20a05943a1e553fa506decf3d13bac748ef460f24f
   languageName: node
   linkType: hard
 
@@ -5481,7 +5481,7 @@ __metadata:
     "@rollup/plugin-commonjs": "npm:^21.0.1"
     "@rollup/plugin-node-resolve": "npm:^11.0.1"
     "@types/cross-spawn": "npm:6.0.0"
-    "@types/diff": "npm:^4.0.2"
+    "@types/diff": "npm:^5.0.0"
     "@types/lodash": "npm:^4.14.136"
     "@types/micromatch": "npm:^4.0.1"
     "@types/node": "npm:^13.7.0"
@@ -5502,7 +5502,7 @@ __metadata:
     ci-info: "npm:^3.2.0"
     clipanion: "npm:^3.2.0-rc.10"
     cross-spawn: "npm:7.0.3"
-    diff: "npm:^4.0.1"
+    diff: "npm:^5.1.0"
     esbuild: "npm:esbuild-wasm@^0.11.20"
     globby: "npm:^11.0.1"
     got: "npm:^11.7.0"
@@ -5969,7 +5969,7 @@ __metadata:
   version: 0.0.0-use.local
   resolution: "@yarnpkg/plugin-interactive-tools@workspace:packages/plugin-interactive-tools"
   dependencies:
-    "@types/diff": "npm:^4.0.2"
+    "@types/diff": "npm:^5.0.0"
     "@types/react": "npm:^16.8.0"
     "@types/semver": "npm:^7.1.0"
     "@yarnpkg/builder": "workspace:^"
@@ -5979,7 +5979,7 @@ __metadata:
     "@yarnpkg/plugin-essentials": "workspace:^"
     algoliasearch: "npm:^4.2.0"
     clipanion: "npm:^3.2.0-rc.10"
-    diff: "npm:^4.0.1"
+    diff: "npm:^5.1.0"
     ink: "npm:^3.0.8"
     ink-text-input: "npm:^4.0.1"
     react: "npm:^16.13.1"
@@ -10260,6 +10260,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"diff@npm:^5.1.0":
+  version: 5.1.0
+  resolution: "diff@npm:5.1.0"
+  checksum: c241ce992c1b59de63637d5ea2c4ac36e5686a0c660830a2dea1c9963abbb83907bef6aebe2898a3e581483bf8b1073e806ad884bf8cafe2af4023fb8ecf0f58
+  languageName: node
+  linkType: hard
+
 "diffie-hellman@npm:^5.0.0":
   version: 5.0.3
   resolution: "diffie-hellman@npm:5.0.3"
@@ -25500,7 +25507,7 @@ __metadata:
   bin:
     tsc: bin/tsc
     tsserver: bin/tsserver
-  checksum: 16fccf26fe55e1d09dbd213f83a7638399f7a4f1015554ad4c4f635c0454f4ef48872dcc76d899939ffc7b09b529de4be4202d129e57d5b6f243778c4da2c3d9
+  checksum: cebef22a4aadc1e44110dbd156d88583e1eb658fe42be2a25c63aa945596c8e6ba26f7542d1cb64471a85d9cbb2b38cbb362592ff985ab077443f9574121914e
   languageName: node
   linkType: hard