build(deps): bump ajv from 8.8.2 to 8.18.0#517
build(deps): bump ajv from 8.8.2 to 8.18.0#517dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
Bumps [ajv](https://github.com/ajv-validator/ajv) from 8.8.2 to 8.18.0. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.8.2...v8.18.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 8.18.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Beginning January 27, 2026, Dependabot will no longer support the @dependabot merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details. |
Codacy's Analysis Summary0 new issue (≤ 1 medium issue) Review Pull Request in Codacy →
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR updates ajv to 8.18.0, which includes a critical fix for a ReDoS vulnerability (CVE-2025-69873). The lockfile changes correctly reflect the migration from uri-js to fast-uri and the addition of fast-uri as a dependency. The static analysis issue reported on the lockfile is a false positive due to the file's generated nature.
About this PR
- This PR updates
package-lock.jsonbut does not include an update topackage.json. To maintain consistency across the project and ensure that the new version is preserved during future dependency resolutions, please update the version ofajvinpackage.jsonto8.18.0. - The
Lizard_file-nloc-criticalpattern flaggedpackage-lock.jsonfor its high line count. Since lockfiles are generated and inherently large, this is a false positive. I recommend excludingpackage-lock.jsonfrom this pattern in your Codacy configuration to reduce noise in future pull requests.
🗒️ Improve review quality by adding custom instructions.
💡 Codacy uses AI. Check for mistakes.
Bumps ajv from 8.8.2 to 8.18.0.
Release notes
Sourced from ajv's releases.
... (truncated)
Commits
142ce848.18.0720a23ffix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...82735a1fix: typos in schema-language.md (#2507)b17ec32fix: small grammatical error in managing-schemas.md (#2508)69568d0fix: #2482 Infinity and NaN serialise to null (#2487)f06766ffeat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...9050ba1bump version to 8.17.1 (#2472)f7831b4fixes #2217 - clarify custom keyword naming (#2457)a523784fix: changes for@typescript-eslint/array-typerule (#2467)595fe58feat: add test for encoded refs and bump fast-uri (#2449)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.