Skip to content

Commit 2038ffe

Browse files
renovate[bot]renovate[bot]
authored
chore(deps): update dependency ajv to v8.18.0 [security] (#428)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Adoption](https://docs.renovatebot.com/merge-confidence/) | [Passing](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [ajv](https://ajv.js.org) ([source](https://redirect.github.com/ajv-validator/ajv)) | [`8.17.1` → `8.18.0`](https://renovatebot.com/diffs/npm/ajv/8.17.1/8.18.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/ajv/8.18.0?slim=true) | ![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ajv/8.18.0?slim=true) | ![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ajv/8.17.1/8.18.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ajv/8.17.1/8.18.0?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2025-69873](https://nvd.nist.gov/vuln/detail/CVE-2025-69873) ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\"^(a|a)*$\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation. --- ### Release Notes <details> <summary>ajv-validator/ajv (ajv)</summary> ### [`v8.18.0`](https://redirect.github.com/ajv-validator/ajv/releases/tag/v8.18.0) [Compare Source](https://redirect.github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0) #### What's Changed - feat: allow tree-shaking by adding `"sideEffects": false` to `package.json` by [@&#8203;josdejong](https://redirect.github.com/josdejong) in [#&#8203;2480](https://redirect.github.com/ajv-validator/ajv/pull/2480) - fix: [#&#8203;2482](https://redirect.github.com/ajv-validator/ajv/issues/2482) Infinity and NaN serialise to null by [@&#8203;jasoniangreen](https://redirect.github.com/jasoniangreen) in [#&#8203;2487](https://redirect.github.com/ajv-validator/ajv/pull/2487) - fix: small grammatical error in managing-schemas.md by [@&#8203;monteiro-renato](https://redirect.github.com/monteiro-renato) in [#&#8203;2508](https://redirect.github.com/ajv-validator/ajv/pull/2508) - fix: typos in schema-language.md by [@&#8203;monteiro-renato](https://redirect.github.com/monteiro-renato) in [#&#8203;2507](https://redirect.github.com/ajv-validator/ajv/pull/2507) - fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by [@&#8203;epoberezkin](https://redirect.github.com/epoberezkin) in [#&#8203;2586](https://redirect.github.com/ajv-validator/ajv/pull/2586) #### New Contributors - [@&#8203;josdejong](https://redirect.github.com/josdejong) made their first contribution in [#&#8203;2480](https://redirect.github.com/ajv-validator/ajv/pull/2480) - [@&#8203;monteiro-renato](https://redirect.github.com/monteiro-renato) made their first contribution in [#&#8203;2508](https://redirect.github.com/ajv-validator/ajv/pull/2508) **Full Changelog**: <ajv-validator/ajv@v8.17.1...v8.18.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/mnahkies/openapi-code-generator). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMi4wIiwidXBkYXRlZEluVmVyIjoiNDMuMjIuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent ba7aba4 commit 2038ffe

File tree

2 files changed

+29
-13
lines changed

2 files changed

+29
-13
lines changed

pnpm-lock.yaml

Lines changed: 27 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,8 @@ minimumReleaseAgeExclude:
2727
- axios@1.13.5
2828
- tar@7.5.8
2929
- qs@6.14.2
30+
# Renovate security update: ajv@8.18.0
31+
- ajv@8.18.0
3032

3133
nodeOptions: ${NODE_OPTIONS:- } --experimental-vm-modules
3234

0 commit comments

Comments
 (0)