Conversation
Bumps [ajv](https://github.com/ajv-validator/ajv) to 8.18.0 and updates ancestor dependency [request](https://github.com/request/request). These dependencies need to be updated together. Updates `ajv` from 5.5.2 to 8.18.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v5.5.2...v8.18.0) Updates `request` from 2.87.0 to 2.88.2 - [Changelog](https://github.com/request/request/blob/master/CHANGELOG.md) - [Commits](https://github.com/request/request/commits) --- updated-dependencies: - dependency-name: ajv dependency-version: 8.18.0 dependency-type: indirect - dependency-name: request dependency-version: 2.88.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| }, | ||
| "funding": { | ||
| "type": "github", | ||
| "url": "https://github.com/sponsors/epoberezkin" |
There was a problem hiding this comment.
ajv resolved to 6.14.0, not 8.18.0 as intended
High Severity
The PR claims to bump ajv to 8.18.0 to fix CVE-2025-69873 (CVSS 7.5 HIGH, ReDoS vulnerability), but the lockfile actually resolves ajv to version 6.14.0. This version is still affected by the CVE, as the fix only exists in 8.18.0+. The transitive dependency chain (request → har-validator → ajv@^6.12.3) caps the resolved version at 6.x, so the stated security fix is not actually applied. The vulnerability allows ReDoS when $data is enabled — a 31-character payload can block CPU for ~44 seconds.
Bumps ajv to 8.18.0 and updates ancestor dependency request. These dependencies need to be updated together.
Updates
ajvfrom 5.5.2 to 8.18.0Release notes
Sourced from ajv's releases.
... (truncated)
Commits
142ce848.18.0720a23ffix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...82735a1fix: typos in schema-language.md (#2507)b17ec32fix: small grammatical error in managing-schemas.md (#2508)69568d0fix: #2482 Infinity and NaN serialise to null (#2487)f06766ffeat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...9050ba1bump version to 8.17.1 (#2472)f7831b4fixes #2217 - clarify custom keyword naming (#2457)a523784fix: changes for@typescript-eslint/array-typerule (#2467)595fe58feat: add test for encoded refs and bump fast-uri (#2449)Install script changes
This version modifies
prepublishscript that runs during installation. Review the package contents before updating.Updates
requestfrom 2.87.0 to 2.88.2Changelog
Sourced from request's changelog.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Lockfile regeneration plus an update to runtime HTTP client
requestcan change network behavior and transitive dependency versions; failures would surface at runtime in request/validation paths.Overview
Regenerates
package-lock.json, bumping the package version to2.1.4and migrating the lockfile format from v1 to v3 (introducing thepackagessection and updated metadata likeengines/binfields).As part of the new resolution, runtime dependency
requestis updated to2.88.2(with updated transitive dependencies), and theajv/schema-validation chain used byrequest’shar-validatoris updated (e.g.,ajv5.5.2->6.14.0along with related packages likeuri-js,fast-deep-equal, andjson-schema-traverse).Written by Cursor Bugbot for commit 6639bda. This will update automatically on new commits. Configure here.