Transitive vuln: diff@8.0.2 via @microsoft/api-extractor (fix available in jsdiff)

[thomasturrell]

vite-plugin-dts@4.5.4 pulls @microsoft/api-extractor@7.55.2 which resolves to diff@8.0.2 in my install.

There’s a DoS issue in diff’s parsePatch area, fixed upstream in jsdiff PR #649 (merged 7 Jan 2026).

Advisories indicate the fix is in diff@8.0.3+.

Would you consider bumping @microsoft/api-extractor (or otherwise adjusting deps) so installs can pick up the fixed diff?