How big is the difference from 1.6.* to 2.* ?

[StoneCypher]

One of the dependencies of 1.6.* has a security vulnerability that GitHub constantly warns about. It's not in 2.* - it's disparity.

Unfortunately, the fix to diff was incorrectly applied to disparity as a new major, instead of as a minor, meaning its downstreams aren't updating, so the "fix" isn't in place.

Can a user of 1.6.* use 2.*?

Could ... could I talk you into patching and publishing a new 1.6? It's just a version bump, and nyc / ava are throwing security faults on this.

[StoneCypher]

Tree back is diff (patched) ← disparity (patched wrongly) ← concat-stream 1.6

Disparity 2 should have been patched as a 2.* but instead got patched as a 3.*, meaning your package, which should pick it up, doesn't

Even though it's not your fault or problem, a new concat-stream 1.6 that bumped disparity to 3 could solve this immediately

[StoneCypher]

This also throws for documentation.js

Relevant thread from disparity

[qm3ster]

It seems that the only difference was https://github.com/maxogden/concat-stream/commit/a88de2cf17226d5bf35301b59ce532956d26b359. If I had to guess, the major version was bumped because it increased minimum nodejs version from 0.8 to 6.0