chore(deps): bump ajv from 6.12.6 to 6.14.0 in the npm_and_yarn group across 1 directory#1634
chore(deps): bump ajv from 6.12.6 to 6.14.0 in the npm_and_yarn group across 1 directory#1634dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
|
Bumps the npm_and_yarn group with 1 update in the / directory: [ajv](https://github.com/ajv-validator/ajv). Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 6.14.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/npm_and_yarn-f1bf2b0a19
branch
from
5213614 to
5cb18df
Compare
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| runtimeShared: | ||
| '@cfworker/json-schema': ^4.1.1 | ||
| ajv: ^8.17.1 | ||
| ajv: ^6.14.0 |
There was a problem hiding this comment.
🔴 This PR downgrades the direct catalog dependency from ajv: ^8.17.1 to ajv: ^6.14.0 — a major version regression, not the transitive patch bump the title describes. The build will break because packages/core/src/validators/ajvProvider.ts (and two other files) use the v8-only named import import { Ajv } from 'ajv' and v8-only constructor options (strict, validateFormats), and ajv-formats@3.0.1 declares ajv: ^8.0.0 as a peer dependency. Additionally, the vulnerable transitive ajv@6.12.6 (from @eslint/eslintrc) remains in the lockfile unchanged, so this PR doesn't fix the CVE either — it should be closed and Dependabot reconfigured.
Extended reasoning...
What the bug is
Dependabot's PR title claims to bump ajv from 6.12.6 → 6.14.0 — i.e., a minor security-patch bump of the transitive dependency pulled in by @eslint/eslintrc. However, the actual diff does something entirely different: it changes the direct catalog entry in pnpm-workspace.yaml from ajv: ^8.17.1 to ajv: ^6.14.0. This is a two-major-version downgrade of the version the application code actually imports. Dependabot appears to have confused the transitive v6 dependency (used only by eslint tooling) with the direct v8 dependency (used by the SDK's runtime validator).
Step-by-step proof it breaks the build
-
Named import fails.
packages/core/src/validators/ajvProvider.ts:5reads:import { Ajv } from 'ajv';
In ajv v8,
Ajvis exposed as a named export. In ajv v6, the class is the default export only (import Ajv from 'ajv'). With the catalog now resolving to6.14.0, TypeScript will fail with "Module '"ajv"' has no exported member 'Ajv'". The same import pattern appears inpackages/core/src/validators/ajvProvider.examples.ts:10andexamples/client/src/simpleStreamableHttp.ts:21. -
Constructor options are v8-only.
ajvProvider.ts:11-16constructs the instance:new Ajv({ strict: false, validateFormats: true, validateSchema: false, allErrors: true })
The
strictandvalidateFormatsoptions were introduced in ajv v7/v8. The v6Optionsinterface does not declare them, so understrict: trueTS config they produce an excess-property error; even if they compiled, v6 would silently ignore them, altering runtime validation semantics. -
Peer-dependency violation.
ajv-formats@3.0.1declares"ajv": "^8.0.0"as its peer dependency. The lockfile now pairs it withajv@6.14.0(lineajv-formats@3.0.1(ajv@6.14.0)), which is outside the supported range.addFormats(ajv)atajvProvider.ts:19expects a v8 instance and its internal plugin registration hooks do not exist on v6 — this would throw or no-op at runtime.
The security fix isn't applied anyway
The actual vulnerable package is the transitive ajv@6.12.6 pulled in by @eslint/eslintrc (a dev-time dependency). The lockfile diff shows this entry is still present after the change:
ajv@6.12.6:
resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+...}
The PR only adds a new ajv@6.14.0 entry that feeds the catalog consumers. So even setting aside the build breakage, the PR fails at its stated goal.
Why existing guards don't catch it
The ajv-formats peer dependency check would surface as a pnpm install warning, but pnpm warnings don't fail installs by default, and Dependabot doesn't run the TypeScript build. CI typechecking/tests would catch the named-import failure, but the PR should not be merged regardless.
How to fix
Close this PR. To patch the transitive CVE, use a pnpm.overrides entry in the root package.json:
"pnpm": { "overrides": { "ajv@<6.14.0": "^6.14.0" } }or bump @eslint/eslintrc (via eslint) to a version that depends on a patched ajv. The catalog entry for the direct dependency should remain at ^8.17.1.
Bumps the npm_and_yarn group with 1 update in the / directory: ajv.
Updates
ajvfrom 6.12.6 to 6.14.0Commits
e3af0a76.14.0b552ed6add regExp option to address $data exploit via a regular expression (CVE-2025...72f2286docs: update v7 info231e52bMerge pull request #1320 from philsturgeon/patch-1d3475fcAdd spectral, an AJV util from a sponsor413afe0docs: v7.0.0-beta.311e997bupdate readme for v7Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.