Skip to content

chore: update ajv to 8.20.0 and pin fast-uri to fix high severity CVEs#33

Merged
danielmrdjanov merged 1 commit into
masterfrom
chore/update-ajv
May 15, 2026
Merged

chore: update ajv to 8.20.0 and pin fast-uri to fix high severity CVEs#33
danielmrdjanov merged 1 commit into
masterfrom
chore/update-ajv

Conversation

@danielmrdjanov

Copy link
Copy Markdown
Collaborator

Summary

  • Bumps ajv from 8.18.08.20.0
  • Adds pnpm.overrides to pin fast-uri >= 3.1.2, resolving two high-severity
    vulnerabilities in the transitive dependency

Security advisories fixed

CVE Package Vulnerable Patched Description
GHSA-q3j6-ggpj-74h6 fast-uri <= 3.1.0 >= 3.1.1 Path traversal via percent-encoded dot segments
GHSA-v39h-62p7-jpjc fast-uri <= 3.1.1 >= 3.1.2 Host confusion via percent-encoded authority delimiters

Why the override?

ajv@8.20.0 still declares fast-uri: ^3.0.1, which includes the vulnerable
range. The pnpm.overrides entry forces resolution to >= 3.1.2 across the
entire dependency tree and can be removed once ajv tightens its own range.

Validation

  • pnpm audit → no known vulnerabilities found
  • All 344 tests pass

@danielmrdjanov danielmrdjanov enabled auto-merge (squash) May 15, 2026 21:59
@danielmrdjanov danielmrdjanov disabled auto-merge May 15, 2026 21:59
@danielmrdjanov danielmrdjanov merged commit fdd6264 into master May 15, 2026
2 checks passed
@danielmrdjanov danielmrdjanov deleted the chore/update-ajv branch May 15, 2026 22:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant