Update dependency ajv to v8 [SECURITY]#98

Open

renovate[bot] wants to merge 1 commit intodevelopfrom

renovate/npm-ajv-vulnerability

Contributor

renovate bot commented Feb 18, 2026 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
ajv (source)	`^7.1.0` → `^8.0.0`

GitHub Vulnerability Alerts

CVE-2025-69873

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Release Notes

ajv-validator/ajv (ajv)

`v8.18.0`

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in #2480
fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in #2487
fix: small grammatical error in managing-schemas.md by @monteiro-renato in #2508
fix: typos in schema-language.md by @monteiro-renato in #2507
fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in #2586

New Contributors

@josdejong made their first contribution in #2480
@monteiro-renato made their first contribution in #2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

`v8.17.1`

What's Changed

bump version to 8.17.1 by @jasoniangreen in #2472

Full Changelog: ajv-validator/ajv@v8.17.0...v8.17.1

Plus everything in 8.17.0 which failed to release

The only functional change is to switch from uri-js (which is no longer supported), to fast-uri. This is the second attempt and the team on fast-uri have been really helpful addressing the issues we found last time.

Revert "Revert fast-uri change (#2444)" by @gurgunday in #2448
fix: ignore new eslint error for @typescript-eslint/no-extraneous-class by @jasoniangreen in #2455
docs: clarify behaviour of addVocabulary by @jasoniangreen in #2454
docs: refactor to improve legibility by @blottn in #2432
Fix grammatical typo in managing-schemas.md by @wetneb in #2305
docs: Fix broken strict-mode link by @alexanderjsx in #2459
feat: add test for encoded refs and bump fast-uri by @jasoniangreen in #2449
fix: changes for @typescript-eslint/array-type rule by @jasoniangreen in #2467
fixes #2217 - clarify custom keyword naming by @jasoniangreen in #2457

`v8.16.0`

What's Changed

Revert fast-uri change by @jasoniangreen in #2444

Full Changelog: ajv-validator/ajv@v8.15.0...v8.16.0

`v8.15.0`

What's Changed

Replace uri-js with fast-uri by @vixalien in #2415
Bump to 8.15.0 by @jasoniangreen in #2442

New Contributors

@vixalien made their first contribution in #2415

Full Changelog: ajv-validator/ajv@v8.14.0...v8.15.0

`v8.14.0`

What's Changed

readme: build badge by @epoberezkin in #2424
Update workflows by @rotu in #2410
docs: add warning to maxLength / minLength by @jasoniangreen in #2428
fix: broken link in docs warning by @jasoniangreen in #2431
compileAsync a schema with discriminator and $ref, fixes #2427 by @jasoniangreen in #2433
bump version to 8.14.0 for publishing by @jasoniangreen in #2440

New Contributors

@rotu made their first contribution in #2410

Full Changelog: ajv-validator/ajv@v8.13.0...v8.14.0

`v8.13.0`

add named exports
update dependencies
update node.js

`v8.12.0`

fix JTD serialisation (remove leading comma in objects with only optional properties) (#2190, @piliugin-anton)
empty JTD "values" schema (#2191)
empty object to work with JTD utility type (#2158, @erikbrinkman)
fix JTD "discriminator" schema for objects with more than 8 properties (#2194)
correctly narrow "number" type to "integer" (#2192, @JacobLey)
update Node.js versions in CI to 14, 16, 18 and 19

`v8.11.2`

Update dependencies

Export ValidationError and MissingRefError (#1840, @dannyb648)

`v8.11.1`

Update dependencies

Export ValidationError and MissingRefError (#1840, @dannyb648)

`v8.11.0`

Use root schemaEnv when resolving references in oneOf (#1901, @asprouse)

Only use equal function in generated code when it is used (#1922, @bhvngt)

`v8.10.0`

uriResolver option (@zekth, #1862)

`v8.9.0`

Option code.esm to generate ESM exports for standalone validation functions (@rehanvdm, #1861)
Support discriminator keyword with $ref in oneOf subschemas (@dfeufel, #1815)

`v8.8.2`

Use full RegExp string (with flags) as cache key, related to ajv-validator/ajv-keywords#220

`v8.8.1`

Fix minContains: 0 (#1819)

`v8.8.0`

Fix browser bundles in cdnjs
regExp option allowing to specify alternative RegExp engine, e.g. re2 (@efebarlas)

`v8.7.1`

Publish Ajv bundle for JSON Schema 2020-12 to cdnjs.com

`v8.7.0`

Update JSON Schema Test Suite.
Change minContains: 0 now correctly allows empty array.

`v8.6.3`

Fix $ref resolution for schemas without $id (@rbuckton, #1725)
Support standalone module import from ESM modules without using .default property (@bhvngt, #1757)
Update code for breaking TS change - error in catch has type unknown (#1760)

`v8.6.2`

Fix JTD serialiser (#1691)

`v8.6.1`

Fix "not" keyword preventing validation of "allOf" and some other keywords (#1668)

`v8.6.0`

Track evaluated properties with patternProperties that have always valid schemas (e.g., true) (@P0lip, #1626)
Option int32range to disable number range checking for int32 and uint32 type in JTD schemas

`v8.5.0`

Optimize validation code for const keyword with scalar values (@SoAsEr, #1561)
Add option schemaId to support ajv-draft-04 - Ajv for JSON Schema drat-04.

`v8.4.0`

JSON Type Definition schema options:

parseDate: parse timestamp type as Date objects.
allowDate: non-standard - allow date without time with timestamp type.

`v8.3.0`

Typescript improvements:

better error reporting for JSONSchemaType in case strictNullChecks option is disabled (@erikbrinkman, #1583)
support missed boolean type in JTDDataType (@m00s, #1587)
JTD timestamp validation option (@jrr, #1584).
Docs corrections.

`v8.2.0`

Add JTDDataType to compile signature (@erikbrinkman, #1547)
Improve JSONSchemaType for records (@erikbrinkman, #1564)
Use rollup for browser bundles (@realityking, #1533)
Docs corrections

`v8.1.0`

unicodeRegExp option to not use RegExp unicode flag that may be incompatible with some environments (@asaid-0, #1530)
Fix JSONSchemaType (@erikbrinkman, #1541)
Extended error message for invalid keyword values (@pcwiek, #1542)

`v8.0.5`

Fix: add source code back to npm package, 8.0.4 is breaking ajv-cli (and possibly other things)

`v8.0.4`

Reduce npm bundle size

`v8.0.3`

Improve JSONSchemaType errors (@erikbrinkman, #1525)

`v8.0.2`

Support RegExp formats in standalone code (#1470)
Add schema path to strictTuple error message (@asaid-0, #1519)

`v8.0.1`

Typescript: export function getData (for ajv-errors)

`v8.0.0`

This document describes changes from v7.2.4 to v8.0.0.

If you are migrating from v6 you can use this document.

New features

Support JSON Schema draft-2020-12: prefixItems keyword and changed semantics of items keyword, dynamic recursive references.
OpenAPI discriminator keyword.
Improved JSON Type Definition support:

errors consistent with JTD specification.
error objects with additional properties to simplify error handling (see Error objects)
internationalized error messages with ajv-i18n
TypeScript: support type unions in JSONSchemaType

Other changes / improvements

Node.js require works without .default property - see examples in Getting started
Reduce runtime dependency for standalone validation code
Fix resolution of $ref: "#" when $id is present (#815)

Breaking changes

Option strict controls all strict mode restrictions
JSON Schema validation errors changes:

dataPath property replaced with instancePath
"should" replaced with "must" in the messages
property name is removed from "propertyName" keyword error message (it is still available in error.params.propertyName).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot changed the title ~~Update dependency ajv to v8 [SECURITY]~~ Update dependency ajv to v8 [SECURITY] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-ajv-vulnerability branch

February 20, 2026 22:31

renovate bot changed the title ~~Update dependency ajv to v8 [SECURITY] - autoclosed~~ Update dependency ajv to v8 [SECURITY]

renovate bot reopened this

renovate bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from 515787a to f7b983d Compare

February 22, 2026 18:12

renovate bot changed the title ~~Update dependency ajv to v8 [SECURITY]~~ Update dependency ajv to v8 [SECURITY] - autoclosed

renovate bot closed this


          Update dependency ajv to v8 [SECURITY]

0e9f6dd

renovate bot changed the title ~~Update dependency ajv to v8 [SECURITY] - autoclosed~~ Update dependency ajv to v8 [SECURITY]

renovate bot reopened this

renovate bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from f7b983d to 0e9f6dd Compare

February 24, 2026 21:02

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet