chore(deps): bump ajv to fix ReDoS in $data option#5710
chore(deps): bump ajv to fix ReDoS in $data option#5710
Conversation
Semver Impact of This PR⚪ None (no version bump detected) 📋 Changelog PreviewThis is how your changes will appear in the changelog.
🤖 This preview updates automatically when you update the PR. |
iOS (legacy) Performance metrics 🚀
|
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| ea3e26e+dirty | 1229.13 ms | 1228.46 ms | -0.67 ms |
| 80e4616+dirty | 1221.32 ms | 1225.64 ms | 4.32 ms |
| 818a608+dirty | 1205.76 ms | 1208.00 ms | 2.24 ms |
| 77061ed+dirty | 1233.16 ms | 1234.88 ms | 1.71 ms |
| bef3709+dirty | 1222.07 ms | 1220.24 ms | -1.83 ms |
| a206511+dirty | 1185.00 ms | 1186.35 ms | 1.35 ms |
| 74979ac+dirty | 1210.49 ms | 1213.31 ms | 2.82 ms |
| a2bb688+dirty | 1223.53 ms | 1232.90 ms | 9.37 ms |
| 8a868fe+dirty | 1221.50 ms | 1230.78 ms | 9.28 ms |
| d590428+dirty | 1211.77 ms | 1220.51 ms | 8.75 ms |
App size
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| ea3e26e+dirty | 3.41 MiB | 4.58 MiB | 1.17 MiB |
| 80e4616+dirty | 3.38 MiB | 4.60 MiB | 1.22 MiB |
| 818a608+dirty | 2.63 MiB | 3.91 MiB | 1.28 MiB |
| 77061ed+dirty | 2.63 MiB | 3.98 MiB | 1.34 MiB |
| bef3709+dirty | 3.38 MiB | 4.78 MiB | 1.40 MiB |
| a206511+dirty | 3.41 MiB | 4.67 MiB | 1.25 MiB |
| 74979ac+dirty | 3.38 MiB | 4.60 MiB | 1.22 MiB |
| a2bb688+dirty | 2.63 MiB | 3.99 MiB | 1.36 MiB |
| 8a868fe+dirty | 3.38 MiB | 4.60 MiB | 1.22 MiB |
| d590428+dirty | 3.38 MiB | 4.78 MiB | 1.39 MiB |
Android (legacy) Performance metrics 🚀
|
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| c7f264b | 434.98 ms | 452.96 ms | 17.98 ms |
| 9f211e3 | 451.50 ms | 500.00 ms | 48.50 ms |
| 9ced351+dirty | 405.40 ms | 419.39 ms | 13.98 ms |
| f70acbf+dirty | 373.39 ms | 382.81 ms | 9.43 ms |
| f234eb4+dirty | 407.62 ms | 429.64 ms | 22.02 ms |
| 2adbd1e+dirty | 433.98 ms | 427.96 ms | -6.02 ms |
| 7886639+dirty | 425.10 ms | 477.73 ms | 52.63 ms |
| a206511+dirty | 424.28 ms | 474.82 ms | 50.54 ms |
| 98f632c | 424.25 ms | 435.48 ms | 11.23 ms |
| 46da307 | 455.92 ms | 443.79 ms | -12.13 ms |
App size
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| c7f264b | 17.75 MiB | 19.68 MiB | 1.94 MiB |
| 9f211e3 | 17.75 MiB | 19.68 MiB | 1.94 MiB |
| 9ced351+dirty | 43.75 MiB | 48.41 MiB | 4.66 MiB |
| f70acbf+dirty | 17.75 MiB | 19.68 MiB | 1.94 MiB |
| f234eb4+dirty | 17.75 MiB | 19.74 MiB | 1.99 MiB |
| 2adbd1e+dirty | 17.75 MiB | 19.70 MiB | 1.96 MiB |
| 7886639+dirty | 43.75 MiB | 48.42 MiB | 4.67 MiB |
| a206511+dirty | 43.75 MiB | 48.07 MiB | 4.32 MiB |
| 98f632c | 17.75 MiB | 20.15 MiB | 2.41 MiB |
| 46da307 | 17.75 MiB | 19.68 MiB | 1.93 MiB |
Android (new) Performance metrics 🚀
|
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| 664c66f+dirty | 376.23 ms | 389.51 ms | 13.28 ms |
| d73150f+dirty | 424.60 ms | 454.35 ms | 29.75 ms |
| 4a17c8f+dirty | 368.54 ms | 381.43 ms | 12.89 ms |
| b3b5b0d+dirty | 361.42 ms | 403.90 ms | 42.48 ms |
| 9ced351+dirty | 361.74 ms | 411.45 ms | 49.70 ms |
| 7886639+dirty | 530.30 ms | 571.34 ms | 41.04 ms |
| c08359e+dirty | 406.04 ms | 428.87 ms | 22.83 ms |
| 3099014+dirty | 344.58 ms | 404.21 ms | 59.63 ms |
| d751a5d+dirty | 341.61 ms | 403.06 ms | 61.45 ms |
| 682f0f5+dirty | 402.33 ms | 440.61 ms | 38.28 ms |
App size
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| 664c66f+dirty | 43.94 MiB | 49.38 MiB | 5.44 MiB |
| d73150f+dirty | 43.94 MiB | 49.38 MiB | 5.44 MiB |
| 4a17c8f+dirty | 43.94 MiB | 48.82 MiB | 4.88 MiB |
| b3b5b0d+dirty | 7.15 MiB | 8.41 MiB | 1.26 MiB |
| 9ced351+dirty | 43.94 MiB | 49.27 MiB | 5.33 MiB |
| 7886639+dirty | 43.94 MiB | 49.28 MiB | 5.34 MiB |
| c08359e+dirty | 7.15 MiB | 8.42 MiB | 1.27 MiB |
| 3099014+dirty | 7.15 MiB | 8.43 MiB | 1.27 MiB |
| d751a5d+dirty | 7.15 MiB | 8.41 MiB | 1.26 MiB |
| 682f0f5+dirty | 43.94 MiB | 48.91 MiB | 4.97 MiB |
iOS (new) Performance metrics 🚀
|
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| ea3e26e+dirty | 1216.61 ms | 1214.15 ms | -2.47 ms |
| 80e4616+dirty | 1206.90 ms | 1205.94 ms | -0.96 ms |
| 818a608+dirty | 1218.84 ms | 1223.18 ms | 4.34 ms |
| 77061ed+dirty | 1210.77 ms | 1218.45 ms | 7.68 ms |
| bef3709+dirty | 1217.79 ms | 1225.33 ms | 7.54 ms |
| a206511+dirty | 1225.02 ms | 1223.74 ms | -1.28 ms |
| 74979ac+dirty | 1212.33 ms | 1212.54 ms | 0.21 ms |
| a2bb688+dirty | 1244.82 ms | 1238.60 ms | -6.22 ms |
| 8a868fe+dirty | 1206.85 ms | 1215.04 ms | 8.19 ms |
| d590428+dirty | 1221.23 ms | 1225.27 ms | 4.03 ms |
App size
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| ea3e26e+dirty | 3.41 MiB | 4.58 MiB | 1.17 MiB |
| 80e4616+dirty | 3.38 MiB | 4.60 MiB | 1.22 MiB |
| 818a608+dirty | 3.19 MiB | 4.48 MiB | 1.29 MiB |
| 77061ed+dirty | 3.19 MiB | 4.54 MiB | 1.36 MiB |
| bef3709+dirty | 3.38 MiB | 4.78 MiB | 1.40 MiB |
| a206511+dirty | 3.41 MiB | 4.67 MiB | 1.25 MiB |
| 74979ac+dirty | 3.38 MiB | 4.60 MiB | 1.22 MiB |
| a2bb688+dirty | 3.19 MiB | 4.56 MiB | 1.37 MiB |
| 8a868fe+dirty | 3.38 MiB | 4.60 MiB | 1.22 MiB |
| d590428+dirty | 3.38 MiB | 4.78 MiB | 1.39 MiB |
c193199 to
aa9eb1e
Compare
Uses scoped yarn resolutions to bump ajv: - eslint/eslintrc consumers: 6.12.6 → 6.14.0 (fixes alert #423) - appium, detox, expo-dev-launcher: → 8.18.0 (fixes alert #424) Parent-scoped resolutions avoid the unscoped override that would force eslint onto incompatible ajv v8. https://github.com/getsentry/sentry-react-native/security/dependabot/423 https://github.com/getsentry/sentry-react-native/security/dependabot/424 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
aa9eb1e to
4b79b83
Compare
|
Addressed both review comments:
Fix: Removed the unscoped resolution entirely. Now using only parent-scoped resolutions:
Verified: |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable autofix in the Cursor dashboard.
yarn.lock
Outdated
| "ajv@npm:^8.0.0": | ||
| version: 8.17.1 | ||
| resolution: "ajv@npm:8.17.1" | ||
| dependencies: |
There was a problem hiding this comment.
Bug: The fix for the ajv ReDoS vulnerability is incomplete. The ajv-formats package is not covered by the scoped resolutions and still resolves to a vulnerable ajv version.
Severity: HIGH
Suggested Fix
To fully mitigate the vulnerability, either add a specific scoped resolution for ajv-formats like "ajv-formats@npm:2.1.1/ajv": "^8.18.0", or add a global unscoped resolution like "ajv": "^8.18.0" to force all consumers to the patched version.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: yarn.lock#L13697-L13700
Potential issue: The pull request attempts to mitigate a ReDoS vulnerability in the
`ajv` package by adding scoped resolutions to `yarn.lock`. However, this fix is
incomplete. The `ajv-formats` package, a dependency in the project, requires `ajv:
"^8.0.0"` and is not covered by any of the new scoped resolutions. As a result, it
resolves to the vulnerable version `8.17.1` instead of the patched version `8.18.0`.
This leaves the application exposed to the ReDoS vulnerability (CVE-2025-69873) through
any code path that utilizes `ajv-formats`.
…ajv 8.17.1 ajv-formats@2.1.1 (via appium) depends on ajv@^8.0.0 which was still resolving to vulnerable 8.17.1. Adding a scoped resolution for ajv-formats ensures it also gets ajv 8.18.0. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Addressed both new comments:
Fix: Added Verified: |
Summary
$dataoption in ajvappium's exact8.12.0pin and all^8.xconsumers to8.18.0eslint,@eslint/eslintrc): consolidated onto8.18.0via unscoped resolution — build and tests pass with ajv 8.xDependabot alerts
Test plan
yarn installresolves allajvconsumers to8.18.0yarn buildpassesyarn testpasses🤖 Generated with Claude Code