chore(deps): bump ajv to fix ReDoS in $data option (#5710)

antonis · claude · lucas-zimerman · web-flow · commit a02d765a5c5e · 2026-03-02T16:06:27.000Z
* chore(deps): bump ajv to fix ReDoS vulnerabilities Uses scoped yarn resolutions to bump ajv: - eslint/eslintrc consumers: 6.12.6 → 6.14.0 (fixes alert #423) - appium, detox, expo-dev-launcher: → 8.18.0 (fixes alert #424) Parent-scoped resolutions avoid the unscoped override that would force eslint onto incompatible ajv v8. https://github.com/getsentry/sentry-react-native/security/dependabot/423 https://github.com/getsentry/sentry-react-native/security/dependabot/424 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add ajv-formats scoped resolution to cover remaining vulnerable ajv 8.17.1 ajv-formats@2.1.1 (via appium) depends on ajv@^8.0.0 which was still resolving to vulnerable 8.17.1. Adding a scoped resolution for ajv-formats ensures it also gets ajv 8.18.0. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: LucasZF <lucas-zimerman1@hotmail.com>
diff --git a/package.json b/package.json
@@ -60,6 +60,15 @@
   ],
   "resolutions": {
     "appium-chromedriver@npm:5.6.73/@xmldom/xmldom": "0.8.10",
+    "ajv-formats@npm:2.1.1/ajv": "^8.18.0",
+    "appium@npm:2.4.1/ajv": "^8.18.0",
+    "detox@npm:20.46.0/ajv": "^8.18.0",
+    "expo-dev-launcher@npm:6.0.20/ajv": "^8.18.0",
+    "@eslint/eslintrc@npm:2.1.4/ajv": "^6.14.0",
+    "@eslint/eslintrc@npm:3.3.3/ajv": "^6.14.0",
+    "eslint@npm:8.57.0/ajv": "^6.14.0",
+    "eslint@npm:8.57.1/ajv": "^6.14.0",
+    "eslint@npm:9.39.2/ajv": "^6.14.0",
     "express@npm:4.19.2/path-to-regexp": "0.1.12",
     "axios": "^1.13.5",
     "fast-xml-parser": "^5.3.6",
diff --git a/yarn.lock b/yarn.lock
@@ -13682,39 +13682,27 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ajv@npm:8.12.0":
-  version: 8.12.0
-  resolution: "ajv@npm:8.12.0"
+"ajv@npm:^6.14.0":
+  version: 6.14.0
+  resolution: "ajv@npm:6.14.0"
   dependencies:
     fast-deep-equal: ^3.1.1
-    json-schema-traverse: ^1.0.0
-    require-from-string: ^2.0.2
+    fast-json-stable-stringify: ^2.0.0
+    json-schema-traverse: ^0.4.1
     uri-js: ^4.2.2
-  checksum: 4dc13714e316e67537c8b31bc063f99a1d9d9a497eb4bbd55191ac0dcd5e4985bbb71570352ad6f1e76684fb6d790928f96ba3b2d4fd6e10024be9612fe3f001
-  languageName: node
-  linkType: hard
-
-"ajv@npm:^6.12.4":
-  version: 6.12.6
-  resolution: "ajv@npm:6.12.6"
-  dependencies:
-    fast-deep-equal: "npm:^3.1.1"
-    fast-json-stable-stringify: "npm:^2.0.0"
-    json-schema-traverse: "npm:^0.4.1"
-    uri-js: "npm:^4.2.2"
-  checksum: 874972efe5c4202ab0a68379481fbd3d1b5d0a7bd6d3cc21d40d3536ebff3352a2a1fabb632d4fd2cc7fe4cbdcd5ed6782084c9bbf7f32a1536d18f9da5007d4
+  checksum: 7bb3ea97bb8af52521589079f427e799b6561acaa94f50e13410cb87588c51df8db1afe1157b3e48f1a829269adaa11116e0c2cafe2b998add1523789809a3c5
   languageName: node
   linkType: hard
 
-"ajv@npm:^8.0.0, ajv@npm:^8.11.0, ajv@npm:^8.6.3":
-  version: 8.17.1
-  resolution: "ajv@npm:8.17.1"
+"ajv@npm:^8.18.0":
+  version: 8.18.0
+  resolution: "ajv@npm:8.18.0"
   dependencies:
-    fast-deep-equal: "npm:^3.1.3"
-    fast-uri: "npm:^3.0.1"
-    json-schema-traverse: "npm:^1.0.0"
-    require-from-string: "npm:^2.0.2"
-  checksum: 1797bf242cfffbaf3b870d13565bd1716b73f214bb7ada9a497063aada210200da36e3ed40237285f3255acc4feeae91b1fb183625331bad27da95973f7253d9
+    fast-deep-equal: ^3.1.3
+    fast-uri: ^3.0.1
+    json-schema-traverse: ^1.0.0
+    require-from-string: ^2.0.2
+  checksum: bcdf6c7b040ca488108e2b4e219b31cf9ed478331007d4dd1ed8acc3946dd6b84295817c0f4724207b8dd8589c9966168b2fd4c7f32109d4b8526cdd3743e936
   languageName: node
   linkType: hard
 
