New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency ajv to v6 [SECURITY] #1062

Open

renovate wants to merge 1 commit into master from renovate/npm-ajv-vulnerability

+3 −32

renovate bot commented Jan 23, 2023 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
ajv (source)	`^4.10.0` -> `^6.0.0`

GitHub Vulnerability Alerts

CVE-2020-15366

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Release Notes

ajv-validator/ajv (ajv)

`v6.12.3`

Pass schema object to processCode function
Option for strictNumbers (@issacgerges, #1128)
Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

`v6.12.2`

Removed post-install script

`v6.12.1`

Docs and dependency updates

`v6.12.0`

Improved hostname validation (@sambauers, #1143)
Option keywords to add custom keywords (@franciscomorais, #1137)
Types fixes (@boenrobot, @MattiAstedrone)
Docs:

error logging example (@RadiationSickness)
TypeScript usage notes (@thetric)

`v6.11.0`

Time formats support two digit and colon-less variants of timezone offset (#1061 , @cjpillsbury)
Docs: RegExp related security considerations
Tests: Disabled failing typescript test

`v6.10.2`

Fix: the unknown keywords were ignored with the option strictKeywords: true (instead of failing compilation) in some sub-schemas (e.g. anyOf), when the sub-schema didn't have known keywords.

`v6.10.1`

Fix types
Fix addSchema (#1001)
Update dependencies

`v6.10.0`

Option strictDefaults to report ignored defaults (#957, @not-an-aardvark)
Option strictKeywords to report unknown keywords (#781)

`v6.9.2`

`v6.9.1`

`v6.9.0`

OpenAPI keyword nullable can be any boolean (and not only true).
Custom keyword definition changes:

dependencies option in to require the presence of keywords in the same schema.
more strict validation of the definition using JSON Schema.

`v6.8.1`

`v6.8.0`

Docs: security considerations.
Meta-schema for the security assessment of JSON Schemas.

`v6.7.0`

Option useDefaults: "empty" to replace null and "" (empty strings) with default values (in addition to assigning defaults to missing and undefined properties).
Update draft-04 meta-schema to remove incorrect usage of "uri" format.

`v6.6.2`

`v6.6.1`

`v6.6.0`

Keyword "nullable" from OpenAPI spec
Replaced phantomjs with headless chrome

`v6.5.5`

`v6.5.4`

`v6.5.3`

`v6.5.2`

`v6.5.1`

`v6.5.0`

With option passContext, the context is now passed in recursive/mutually recursive refs (@cvlab, #768).

`v6.4.0`

Support URNs in $id - core url package is replaced with url-js (#423, @sondrele).

`v6.3.0`

Typescript declarations updated to use PromiseLike (#717, @krenor)

`v6.2.1`

`v6.2.0`

Parameter allowedValue in the error of const keyword (#713, @marshall007).

`v6.1.1`

`v6.1.0`

A different error message for additionalProperties error with errorDataPath: 'property' option (#671, @lehni)

`v6.0.1`

`v6.0.0`

Changes from v5.5.2

draft-07 support:

if/then/else keywords
$comment keyword
default meta-schema is draft-07

Schema IDs

only $id keyword is used as schema ID by default.
schemaId option should be set to "id" or "auto" for id keyword to be used.
See Options.

Formats

date, date-time, time: support leap year and leap second
json-pointer: only validates a string format of JSON pointer
json-pointer-uri-fragment: to validate uri-fragment format of JSON pointer

Keyword changes

Improved algorithm for uniqueItems keyword to validate an array of same-type scalars in one pass
Keywords uniqueItems and contains are validated after items and type coercion (with coerceTypes option)
Additional error parameters for oneOf keyword
Removed deprecated patternGroups keyword
Reserved annotation keywords: examples, readOnly, writeOnly, contentEncoding, contentMediaType.

Other

Defaults are now assigned inside schemas of then/else keywords.
Option $comment to log/pass to a function strings from $comment keyword.
Async schemas can only be compiled to async functions, compilation to generator functions is no longer supported.
Documented convention for plugins.
Removed v5 meta-schema.
Removed nodent bundle, ajv-async bundle includes nodent now.

`v5.5.2`

`v5.5.1`

`v5.5.0`

Support chaining of methods add* and remove* (#625, @pithu), see Api.

`v5.4.0`

Option logger to disable logging or to specify a custom logger (#618, @meirotstein).

`v5.3.0`

Replace json-stable-stringify with a faster fork without jsonify.

`v5.2.5`

`v5.2.4`

`v5.2.3`

`v5.2.2`

`v5.2.1`

`v5.2.0`: 5.2.0

Refactor: separate "equal" into package fast-deep-equal

`v5.1.6`

`v5.1.5`

`v5.1.4`

`v5.1.3`

`v5.1.2`

`v5.1.1`

`v5.1.0`

Changed order of type validation - "type" keyword is now validated before keywords that apply to all types.

`v5.0.1`

`v5.0.0`

This release is fully backward compatible, but it may require either migrating your schemas (recommended, e.g. using "migrate" command of ajv-cli) or changing your code that uses Ajv.

You can still use draft-04 and v5 schemas with this release (see Migration guide below).

The changes below are based on 4.11.7 version.

JSON-Schema draft-06 support

Support for boolean schemas: wherever a schema is required, true/false can be used in order to always pass/fail validation.
$id keyword is used as schema URI (previously id).
exclusiveMaximum and exclusiveMinimum keywords must be numbers (previously boolean).
additional validation keywords: const, contains, propertyNames.
additional formats: uri-reference, uri-template.

See Internet drafts: JSON Schema, JSON Schema Validation.

Migrating from Ajv 4.x.x

Migrate your schemas

It is a recommended approach.

Required changes

replace id with $id
update $schema
replace boolean form of exclusiveMaximum/Minimum with numeric form
replace Ajv v5 constant with const

Optional changes

replace enum with a single allowed value with const
replace empty schemas with true
replace schemas {"not":{}} with false

You can use "migrate" command of ajv-cli to make these changes to your schemas.

If you need to continue using draft-04 schemas

var ajv = new Ajv({
  meta: false, // optional, to prevent adding draft-06 meta-schema
  extendRefs: true, // optional, current default is to 'fail', spec behaviour is to 'ignore'
  unknownFormats: 'ignore',  // optional, current default is true (fail)
  // ...
});

var metaSchema = require('ajv/lib/refs/json-schema-draft-04.json');
ajv.addMetaSchema(metaSchema);
ajv._opts.defaultMeta = metaSchema.id;

// optional, using unversioned URI is out of spec, see https://github.com/json-schema-org/json-schema-spec/issues/216
ajv._refs['http://json-schema.org/schema'] = 'http://json-schema.org/draft-04/schema';

// Optionally you can also disable keywords defined in draft-06
ajv.removeKeyword('propertyNames');
ajv.removeKeyword('contains');
ajv.removeKeyword('const');

If you need to continue using schemas requiring v5 mode of Ajv

var ajv = new Ajv({
  $data: true,
  patternGroups: true,
  meta: false, // optional, to prevent adding draft-06 meta-schema
  extendRefs: true, // optional, current default is to 'fail', spec behaviour is to 'ignore'
  unknownFormats: 'ignore',  // optional, current default is true (fail)
  // ...
});

ajv.addMetaSchema(require('ajv/lib/refs/json-schema-draft-04.json'));
ajv._refs['http://json-schema.org/schema'] = 'http://json-schema.org/draft-04/schema'; // optional, using unversioned URI is out of spec
var metaSchema = require('ajv/lib/refs/json-schema-v5.json');
ajv.addMetaSchema(metaSchema);
ajv._opts.defaultMeta = metaSchema.id;

// optional - to avoid changing the schemas
ajv.addKeyword('constant', { macro: x => ({ const: x }) }); // this keyword is renamed to const in draft-06
// you need to use version "^2.0.0" of ajv-keywords
require('ajv-keywords')(ajv, ['switch', 'patternRequired', 'formatMinimum', 'formatMaximum']);

// Optionally you can also disable propertyNames keyword defined in draft-06
ajv.removeKeyword('propertyNames');

Changes

Validation keywords

Moved/deprecated:

switch, patternRequired and formatMinimum/Maximum moved to ajv-keywords (^2.0.0).
patternGroups is deprecated, it can be still used with option patternRequired.

Formats

Support custom formats for numbers (#291).
Format "regex" is changed to prohibit \Z anchor.
Format "uri" is changed to only allow absolute URIs, relative URIs are supported with "uri-reference".
Added format "url" (WHATWG URL specification).

Methods

Methods are no longer bound to Ajv instances (#232).
compileAsync method returns Promise and supports async loading of meta-schemas (#249, #334).

Options

schemaId determining whether $id, id or both are used.
$data for $data reference support.
ownProperties supports all keywords (#197).
serialize to replace json-stable-stringify with another function to serialise schemas.
Log warning instead of throwing exception when option meta: false is used without validateSchema: false.
processCode: function() {} can be used to beautify/transpile generated code.
beautify: true is no longer supported.
v5 is no longer used.

Option defaults changed:

extendRefs: "ignore" - when $ref is used other keywords are ignored (was true) (#294).
sourceCode: false - do not store source code of validation functions (was true) (#309).
unknownFormats: true - fail schema compilation (was "ignore") (#324).

Asynchronous validation

Auto-detection of async mode and transpile option support require ajv-async package.
Default async mode is "co*" (co-wrapped generator functions).
If you need to transpile code without ajv-async package, you can pass transpilation function in processCode option. See Options.
In case of validation success, returned Promise resolves with validated data to simplify chaining (previously it resolved with true).

Other

Ajv.MissingRefError class is used to throw missing $ref exception.
Typings are updated - typescript 2.0 is required.
Errors are logged using console.warn and console.error (#265).
Improve error handling (#380, #394).
Improve webpack support (#403).

Related packages

Compatible versions are:

ajv-keywords: ^2.0.0
ajv-i18n: ^2.0.0
ajv-merge-patch: ^3.0.0

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot requested a review from a team as a code owner

January 23, 2023 13:50

renovate bot added the dependencies label

renovate bot force-pushed the renovate/npm-ajv-vulnerability branch from b2c8266 to fb5478a Compare

February 7, 2023 15:03

renovate bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from 9e2e208 to 7ed0e6c Compare

February 28, 2023 18:06

renovate bot force-pushed the renovate/npm-ajv-vulnerability branch 5 times, most recently from e11de13 to cd0da04 Compare

May 31, 2023 07:47

renovate bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from 08037ba to 3e0ebc5 Compare

June 2, 2023 13:02

renovate bot force-pushed the renovate/npm-ajv-vulnerability branch 3 times, most recently from 25ac01d to 9042a4c Compare

June 23, 2023 11:58


          Update dependency ajv to v6 [SECURITY]

9b4e48b

renovate bot force-pushed the renovate/npm-ajv-vulnerability branch from 9042a4c to 9b4e48b Compare

February 13, 2024 16:03

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels