Update dependency ajv to v8.18.0 [SECURITY]#436

Open

renovate[bot] wants to merge 1 commit into

mainfrom

renovate/npm-ajv-vulnerability

Contributor

renovate Bot commented Feb 17, 2026 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
ajv (source)	`8.6.3` → `8.18.0`

ajv has ReDoS when using `$data` option

CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6

More information

Details

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Severity

CVSS Score: 5.5 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

ajv-validator/ajv (ajv)

`v8.18.0`

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in #2480
fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in #2487
fix: small grammatical error in managing-schemas.md by @monteiro-renato in #2508
fix: typos in schema-language.md by @monteiro-renato in #2507
fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in #2586

New Contributors

@josdejong made their first contribution in #2480
@monteiro-renato made their first contribution in #2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

`v8.17.1`

What's Changed

bump version to 8.17.1 by @jasoniangreen in #2472

Full Changelog: ajv-validator/ajv@v8.17.0...v8.17.1

Plus everything in 8.17.0 which failed to release

The only functional change is to switch from uri-js (which is no longer supported), to fast-uri. This is the second attempt and the team on fast-uri have been really helpful addressing the issues we found last time.

Revert "Revert fast-uri change (#2444)" by @gurgunday in #2448
fix: ignore new eslint error for @typescript-eslint/no-extraneous-class by @jasoniangreen in #2455
docs: clarify behaviour of addVocabulary by @jasoniangreen in #2454
docs: refactor to improve legibility by @blottn in #2432
Fix grammatical typo in managing-schemas.md by @wetneb in #2305
docs: Fix broken strict-mode link by @alexanderjsx in #2459
feat: add test for encoded refs and bump fast-uri by @jasoniangreen in #2449
fix: changes for @typescript-eslint/array-type rule by @jasoniangreen in #2467
fixes #2217 - clarify custom keyword naming by @jasoniangreen in #2457

`v8.16.0`

What's Changed

Revert fast-uri change by @jasoniangreen in #2444

Full Changelog: ajv-validator/ajv@v8.15.0...v8.16.0

`v8.15.0`

What's Changed

Replace uri-js with fast-uri by @vixalien in #2415
Bump to 8.15.0 by @jasoniangreen in #2442

New Contributors

@vixalien made their first contribution in #2415

Full Changelog: ajv-validator/ajv@v8.14.0...v8.15.0

`v8.14.0`

What's Changed

readme: build badge by @epoberezkin in #2424
Update workflows by @rotu in #2410
docs: add warning to maxLength / minLength by @jasoniangreen in #2428
fix: broken link in docs warning by @jasoniangreen in #2431
compileAsync a schema with discriminator and $ref, fixes #2427 by @jasoniangreen in #2433
bump version to 8.14.0 for publishing by @jasoniangreen in #2440

New Contributors

@rotu made their first contribution in #2410

Full Changelog: ajv-validator/ajv@v8.13.0...v8.14.0

`v8.13.0`

add named exports
update dependencies
update node.js

`v8.12.0`

fix JTD serialisation (remove leading comma in objects with only optional properties) (#2190, @piliugin-anton)
empty JTD "values" schema (#2191)
empty object to work with JTD utility type (#2158, @erikbrinkman)
fix JTD "discriminator" schema for objects with more than 8 properties (#2194)
correctly narrow "number" type to "integer" (#2192, @JacobLey)
update Node.js versions in CI to 14, 16, 18 and 19

`v8.11.2`

Update dependencies

Export ValidationError and MissingRefError (#1840, @dannyb648)

`v8.11.1`

Update dependencies

Export ValidationError and MissingRefError (#1840, @dannyb648)

`v8.11.0`

Use root schemaEnv when resolving references in oneOf (#1901, @asprouse)

Only use equal function in generated code when it is used (#1922, @bhvngt)

`v8.10.0`

uriResolver option (@zekth, #1862)

`v8.9.0`

Option code.esm to generate ESM exports for standalone validation functions (@rehanvdm, #1861)
Support discriminator keyword with $ref in oneOf subschemas (@dfeufel, #1815)

`v8.8.2`

Use full RegExp string (with flags) as cache key, related to ajv-validator/ajv-keywords#220

`v8.8.1`

Fix minContains: 0 (#1819)

`v8.8.0`

Fix browser bundles in cdnjs
regExp option allowing to specify alternative RegExp engine, e.g. re2 (@efebarlas)

`v8.7.1`

Publish Ajv bundle for JSON Schema 2020-12 to cdnjs.com

`v8.7.0`

Update JSON Schema Test Suite.
Change minContains: 0 now correctly allows empty array.

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Contributor Author

renovate Bot commented Feb 17, 2026 •

edited

Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm WARN config optional Use `--omit=optional` to exclude optional dependencies, or
npm WARN config `--include=optional` to include them.
npm WARN config 
npm WARN config     Default value does install optional deps unless otherwise omitted.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: ajv-keywords@3.5.2
npm WARN Found: ajv@8.18.0
npm WARN node_modules/ajv
npm WARN   dev ajv@"8.18.0" from the root project
npm WARN   1 more (table)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer ajv@"^6.9.1" from ajv-keywords@3.5.2
npm WARN node_modules/ajv-keywords
npm WARN   ajv-keywords@"^3.5.2" from schema-utils@3.0.0
npm WARN   node_modules/copy-webpack-plugin/node_modules/schema-utils
npm WARN   3 more (schema-utils, schema-utils, schema-utils)
npm WARN 
npm WARN Conflicting peer dependency: ajv@6.15.0
npm WARN node_modules/ajv
npm WARN   peer ajv@"^6.9.1" from ajv-keywords@3.5.2
npm WARN   node_modules/ajv-keywords
npm WARN     ajv-keywords@"^3.5.2" from schema-utils@3.0.0
npm WARN     node_modules/copy-webpack-plugin/node_modules/schema-utils
npm WARN     3 more (schema-utils, schema-utils, schema-utils)
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: jest-puppeteer@5.0.4
npm ERR! Found: puppeteer@13.1.2
npm ERR! node_modules/puppeteer
npm ERR!   dev puppeteer@"13.1.2" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer puppeteer@">= 1.5.0 < 10" from jest-puppeteer@5.0.4
npm ERR! node_modules/jest-puppeteer
npm ERR!   dev jest-puppeteer@"5.0.4" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: puppeteer@9.1.1
npm ERR! node_modules/puppeteer
npm ERR!   peer puppeteer@">= 1.5.0 < 10" from jest-puppeteer@5.0.4
npm ERR!   node_modules/jest-puppeteer
npm ERR!     dev jest-puppeteer@"5.0.4" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-05-18T11_11_24_682Z-debug-0.log

renovate Bot changed the title ~~Update dependency ajv to v8.18.0 [SECURITY]~~ Update dependency ajv to v8.18.0 [SECURITY] - autoclosed

renovate Bot closed this

renovate Bot deleted the renovate/npm-ajv-vulnerability branch

February 20, 2026 21:01

renovate Bot changed the title ~~Update dependency ajv to v8.18.0 [SECURITY] - autoclosed~~ Update dependency ajv to v8.18.0 [SECURITY]

renovate Bot reopened this

renovate Bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from d95475e to 3517ab7 Compare

February 22, 2026 16:37

renovate Bot changed the title ~~Update dependency ajv to v8.18.0 [SECURITY]~~ Update dependency ajv to v8.18.0 [SECURITY] - autoclosed

renovate Bot closed this


          Update dependency ajv to v8.18.0 [SECURITY]

2ebf9da

renovate Bot changed the title ~~Update dependency ajv to v8.18.0 [SECURITY] - autoclosed~~ Update dependency ajv to v8.18.0 [SECURITY]

renovate Bot reopened this

renovate Bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from 3517ab7 to 2ebf9da Compare

March 30, 2026 18:35

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet