This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ajv](https://ajv.js.org) ([source](https://redirect.github.com/ajv-validator/ajv)) | dependencies | minor | [`8.17.1` -> `8.18.0`](https://renovatebot.com/diffs/npm/ajv/8.17.1/8.18.0) | ### GitHub Vulnerability Alerts #### [CVE-2025-69873](https://nvd.nist.gov/vuln/detail/CVE-2025-69873) ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\"^(a|a)*$\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation. --- ### Release Notes <details> <summary>ajv-validator/ajv (ajv)</summary> ### [`v8.18.0`](https://redirect.github.com/ajv-validator/ajv/releases/tag/v8.18.0) [Compare Source](https://redirect.github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0) #### What's Changed - feat: allow tree-shaking by adding `"sideEffects": false` to `package.json` by [@josdejong](https://redirect.github.com/josdejong) in [https://github.com/ajv-validator/ajv/pull/2480](https://redirect.github.com/ajv-validator/ajv/pull/2480) - fix: [#2482](https://redirect.github.com/ajv-validator/ajv/issues/2482) Infinity and NaN serialise to null by [@jasoniangreen](https://redirect.github.com/jasoniangreen) in [https://github.com/ajv-validator/ajv/pull/2487](https://redirect.github.com/ajv-validator/ajv/pull/2487) - fix: small grammatical error in managing-schemas.md by [@monteiro-renato](https://redirect.github.com/monteiro-renato) in [https://github.com/ajv-validator/ajv/pull/2508](https://redirect.github.com/ajv-validator/ajv/pull/2508) - fix: typos in schema-language.md by [@monteiro-renato](https://redirect.github.com/monteiro-renato) in [https://github.com/ajv-validator/ajv/pull/2507](https://redirect.github.com/ajv-validator/ajv/pull/2507) - fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by [@epoberezkin](https://redirect.github.com/epoberezkin) in [https://github.com/ajv-validator/ajv/pull/2586](https://redirect.github.com/ajv-validator/ajv/pull/2586) #### New Contributors - [@josdejong](https://redirect.github.com/josdejong) made their first contribution in [https://github.com/ajv-validator/ajv/pull/2480](https://redirect.github.com/ajv-validator/ajv/pull/2480) - [@monteiro-renato](https://redirect.github.com/monteiro-renato) made their first contribution in [https://github.com/ajv-validator/ajv/pull/2508](https://redirect.github.com/ajv-validator/ajv/pull/2508) **Full Changelog**: ajv-validator/ajv@v8.17.1...v8.18.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).