fix(deps): update dependency ajv to ~8.18.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
ajv (source)	~8.5.0 → ~8.18.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

ajv has ReDoS when using $data option

CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6

More information

Details

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-69873
• https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
• https://github.com/ajv-validator/ajv/pull/2586
• https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5
• https://github.com/ajv-validator/ajv/releases/tag/v8.18.0
• https://github.com/ajv-validator/ajv/pull/2588
• https://github.com/ajv-validator/ajv/releases/tag/v6.14.0
• https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
• https://github.com/ajv-validator/ajv/pull/2590
• https://github.com/github/advisory-database/pull/6991

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

ajv-validator/ajv (ajv)

v8.18.0

Compare Source

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in #​2480
• fix: #​2482 Infinity and NaN serialise to null by @​jasoniangreen in #​2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in #​2508
• fix: typos in schema-language.md by @​monteiro-renato in #​2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in #​2586

New Contributors

• @​josdejong made their first contribution in #​2480
• @​monteiro-renato made their first contribution in #​2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

v8.17.1

Compare Source

What's Changed

• bump version to 8.17.1 by @​jasoniangreen in #​2472

Full Changelog: ajv-validator/ajv@v8.17.0...v8.17.1

Plus everything in 8.17.0 which failed to release

The only functional change is to switch from uri-js (which is no longer supported), to fast-uri. This is the second attempt and the team on fast-uri have been really helpful addressing the issues we found last time.

Revert "Revert fast-uri change (#​2444)" by @​gurgunday in #​2448
fix: ignore new eslint error for @​typescript-eslint/no-extraneous-class by @​jasoniangreen in #​2455
docs: clarify behaviour of addVocabulary by @​jasoniangreen in #​2454
docs: refactor to improve legibility by @​blottn in #​2432
Fix grammatical typo in managing-schemas.md by @​wetneb in #​2305
docs: Fix broken strict-mode link by @​alexanderjsx in #​2459
feat: add test for encoded refs and bump fast-uri by @​jasoniangreen in #​2449
fix: changes for @​typescript-eslint/array-type rule by @​jasoniangreen in #​2467
fixes #​2217 - clarify custom keyword naming by @​jasoniangreen in #​2457

v8.16.0

Compare Source

What's Changed

• Revert fast-uri change by @​jasoniangreen in #​2444

Full Changelog: ajv-validator/ajv@v8.15.0...v8.16.0

v8.15.0

Compare Source

What's Changed

• Replace uri-js with fast-uri by @​vixalien in #​2415
• Bump to 8.15.0 by @​jasoniangreen in #​2442

New Contributors

• @​vixalien made their first contribution in #​2415

Full Changelog: ajv-validator/ajv@v8.14.0...v8.15.0

v8.14.0

Compare Source

What's Changed

• readme: build badge by @​epoberezkin in #​2424
• Update workflows by @​rotu in #​2410
• docs: add warning to maxLength / minLength by @​jasoniangreen in #​2428
• fix: broken link in docs warning by @​jasoniangreen in #​2431
• compileAsync a schema with discriminator and $ref, fixes #​2427 by @​jasoniangreen in #​2433
• bump version to 8.14.0 for publishing by @​jasoniangreen in #​2440

New Contributors

• @​rotu made their first contribution in #​2410

Full Changelog: ajv-validator/ajv@v8.13.0...v8.14.0

v8.13.0

Compare Source

• add named exports
• update dependencies
• update node.js

v8.12.0

Compare Source

• fix JTD serialisation (remove leading comma in objects with only optional properties) (#​2190, @​piliugin-anton)
• empty JTD "values" schema (#​2191)
• empty object to work with JTD utility type (#​2158, @​erikbrinkman)
• fix JTD "discriminator" schema for objects with more than 8 properties (#​2194)
• correctly narrow "number" type to "integer" (#​2192, @​JacobLey)
• update Node.js versions in CI to 14, 16, 18 and 19

v8.11.2

Compare Source

Update dependencies

Export ValidationError and MissingRefError (#​1840, @​dannyb648)

v8.11.1

Compare Source

Update dependencies

Export ValidationError and MissingRefError (#​1840, @​dannyb648)

v8.11.0

Compare Source

Use root schemaEnv when resolving references in oneOf (#​1901, @​asprouse)

Only use equal function in generated code when it is used (#​1922, @​bhvngt)

v8.10.0

Compare Source

uriResolver option (@​zekth, #​1862)

v8.9.0

Compare Source

Option code.esm to generate ESM exports for standalone validation functions (@​rehanvdm, #​1861)
Support discriminator keyword with $ref in oneOf subschemas (@​dfeufel, #​1815)

v8.8.2

Compare Source

Use full RegExp string (with flags) as cache key, related to ajv-validator/ajv-keywords#220

v8.8.1

Compare Source

Fix minContains: 0 (#​1819)

v8.8.0

Compare Source

Fix browser bundles in cdnjs
regExp option allowing to specify alternative RegExp engine, e.g. re2 (@​efebarlas)

v8.7.1

Compare Source

Publish Ajv bundle for JSON Schema 2020-12 to cdnjs.com

v8.7.0

Compare Source

Update JSON Schema Test Suite.
Change minContains: 0 now correctly allows empty array.

v8.6.3

Compare Source

Fix $ref resolution for schemas without $id (@​rbuckton, #​1725)
Support standalone module import from ESM modules without using .default property (@​bhvngt, #​1757)
Update code for breaking TS change - error in catch has type unknown (#​1760)

v8.6.2

Compare Source

Fix JTD serialiser (#​1691)

v8.6.1

Compare Source

Fix "not" keyword preventing validation of "allOf" and some other keywords (#​1668)

v8.6.0

Compare Source

Track evaluated properties with patternProperties that have always valid schemas (e.g., true) (@​P0lip, #​1626)
Option int32range to disable number range checking for int32 and uint32 type in JTD schemas

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.