-
Notifications
You must be signed in to change notification settings - Fork 1.7k
chore(deps): bump ajv from 6.12.6 to 6.14.0 in the npm_and_yarn group across 1 directory #1634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
dependabot
wants to merge
1
commit into
main
Choose a base branch
from
dependabot/npm_and_yarn/npm_and_yarn-f1bf2b0a19
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔴 This PR downgrades the direct catalog dependency from
ajv: ^8.17.1toajv: ^6.14.0— a major version regression, not the transitive patch bump the title describes. The build will break becausepackages/core/src/validators/ajvProvider.ts(and two other files) use the v8-only named importimport { Ajv } from 'ajv'and v8-only constructor options (strict,validateFormats), andajv-formats@3.0.1declaresajv: ^8.0.0as a peer dependency. Additionally, the vulnerable transitiveajv@6.12.6(from@eslint/eslintrc) remains in the lockfile unchanged, so this PR doesn't fix the CVE either — it should be closed and Dependabot reconfigured.Extended reasoning...
What the bug is
Dependabot's PR title claims to bump ajv from
6.12.6 → 6.14.0— i.e., a minor security-patch bump of the transitive dependency pulled in by@eslint/eslintrc. However, the actual diff does something entirely different: it changes the direct catalog entry inpnpm-workspace.yamlfromajv: ^8.17.1toajv: ^6.14.0. This is a two-major-version downgrade of the version the application code actually imports. Dependabot appears to have confused the transitive v6 dependency (used only by eslint tooling) with the direct v8 dependency (used by the SDK's runtime validator).Step-by-step proof it breaks the build
Named import fails.
packages/core/src/validators/ajvProvider.ts:5reads:In ajv v8,
Ajvis exposed as a named export. In ajv v6, the class is the default export only (import Ajv from 'ajv'). With the catalog now resolving to6.14.0, TypeScript will fail with "Module '"ajv"' has no exported member 'Ajv'". The same import pattern appears inpackages/core/src/validators/ajvProvider.examples.ts:10andexamples/client/src/simpleStreamableHttp.ts:21.Constructor options are v8-only.
ajvProvider.ts:11-16constructs the instance:The
strictandvalidateFormatsoptions were introduced in ajv v7/v8. The v6Optionsinterface does not declare them, so understrict: trueTS config they produce an excess-property error; even if they compiled, v6 would silently ignore them, altering runtime validation semantics.Peer-dependency violation.
ajv-formats@3.0.1declares"ajv": "^8.0.0"as its peer dependency. The lockfile now pairs it withajv@6.14.0(lineajv-formats@3.0.1(ajv@6.14.0)), which is outside the supported range.addFormats(ajv)atajvProvider.ts:19expects a v8 instance and its internal plugin registration hooks do not exist on v6 — this would throw or no-op at runtime.The security fix isn't applied anyway
The actual vulnerable package is the transitive
ajv@6.12.6pulled in by@eslint/eslintrc(a dev-time dependency). The lockfile diff shows this entry is still present after the change:The PR only adds a new
ajv@6.14.0entry that feeds the catalog consumers. So even setting aside the build breakage, the PR fails at its stated goal.Why existing guards don't catch it
The
ajv-formatspeer dependency check would surface as a pnpm install warning, but pnpm warnings don't fail installs by default, and Dependabot doesn't run the TypeScript build. CI typechecking/tests would catch the named-import failure, but the PR should not be merged regardless.How to fix
Close this PR. To patch the transitive CVE, use a
pnpm.overridesentry in the rootpackage.json:or bump
@eslint/eslintrc(via eslint) to a version that depends on a patched ajv. The catalog entry for the direct dependency should remain at^8.17.1.