Skip to content

chore(deps): update dependency validator to v13.15.22 [security]#294

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-validator-vulnerability
Open

chore(deps): update dependency validator to v13.15.22 [security]#294
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-validator-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Oct 27, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change OpenSSF
validator dependencies minor 13.12.013.15.22 OpenSSF Scorecard

validator.js has a URL validation bypass vulnerability in its isURL function

CVE-2025-56200 / GHSA-9965-vmph-33xx

More information

Details

A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements

CVE-2025-12758 / GHSA-vghf-hv5q-vc2g

More information

Details

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

Severity

  • CVSS Score: 7.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

validatorjs/validator.js (validator)

v13.15.22

Compare Source

Fixes, New Locales and Enhancements

v13.15.20

Compare Source

Fixes, New Locales and Enhancements

v13.15.15

Compare Source

Fixes, New Locales and Enhancements

v13.15.0

Compare Source

New Features / Validators
Fixes, New Locales and Enhancements

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Dependency updates label Oct 27, 2025
@renovate
renovate Bot enabled auto-merge October 27, 2025 15:59
@vercel

vercel Bot commented Oct 27, 2025

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
screamer Error Error Apr 27, 2026 9:32pm

@codecov

codecov Bot commented Oct 27, 2025

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 23.44%. Comparing base (7301303) to head (74f4d19).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #294   +/-   ##
=======================================
  Coverage   23.44%   23.44%           
=======================================
  Files          53       53           
  Lines         499      499           
  Branches       69       69           
=======================================
  Hits          117      117           
+ Misses        382      362   -20     
- Partials        0       20   +20     
Flag Coverage Δ
jest 16.83% <ø> (ø)
storybook 93.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate
renovate Bot force-pushed the renovate/npm-validator-vulnerability branch from 69bacdb to 49c0991 Compare December 2, 2025 20:51
@renovate renovate Bot changed the title chore(deps): update dependency validator to v13.15.20 [security] chore(deps): update dependency validator to v13.15.22 [security] Dec 2, 2025
@renovate renovate Bot changed the title chore(deps): update dependency validator to v13.15.22 [security] chore(deps): update dependency validator to v13.15.22 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
auto-merge was automatically disabled March 27, 2026 00:44

Pull request was closed

@renovate
renovate Bot deleted the renovate/npm-validator-vulnerability branch March 27, 2026 00:44
@renovate renovate Bot changed the title chore(deps): update dependency validator to v13.15.22 [security] - autoclosed chore(deps): update dependency validator to v13.15.22 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate
renovate Bot force-pushed the renovate/npm-validator-vulnerability branch 2 times, most recently from 49c0991 to af9b59d Compare March 30, 2026 17:44
@renovate renovate Bot changed the title chore(deps): update dependency validator to v13.15.22 [security] chore(deps): update dependency validator to v13.15.22 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency validator to v13.15.22 [security] - autoclosed chore(deps): update dependency validator to v13.15.22 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate
renovate Bot force-pushed the renovate/npm-validator-vulnerability branch 2 times, most recently from af9b59d to 74f4d19 Compare April 27, 2026 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency updates

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants