Update dependency ajv to v6 [SECURITY] #1062
Open
+3
−32
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.10.0
->^6.0.0
GitHub Vulnerability Alerts
CVE-2020-15366
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Release Notes
ajv-validator/ajv (ajv)
v6.12.3
Compare Source
Pass schema object to processCode function
Option for strictNumbers (@issacgerges, #1128)
Fixed vulnerability related to untrusted schemas (CVE-2020-15366)
v6.12.2
Compare Source
Removed post-install script
v6.12.1
Compare Source
Docs and dependency updates
v6.12.0
Compare Source
Improved hostname validation (@sambauers, #1143)
Option
keywords
to add custom keywords (@franciscomorais, #1137)Types fixes (@boenrobot, @MattiAstedrone)
Docs:
v6.11.0
Compare Source
Time formats support two digit and colon-less variants of timezone offset (#1061 , @cjpillsbury)
Docs: RegExp related security considerations
Tests: Disabled failing typescript test
v6.10.2
Compare Source
Fix: the unknown keywords were ignored with the option
strictKeywords: true
(instead of failing compilation) in some sub-schemas (e.g. anyOf), when the sub-schema didn't have known keywords.v6.10.1
Compare Source
Fix types
Fix addSchema (#1001)
Update dependencies
v6.10.0
Compare Source
Option
strictDefaults
to report ignored defaults (#957, @not-an-aardvark)Option
strictKeywords
to report unknown keywords (#781)v6.9.2
Compare Source
v6.9.1
Compare Source
v6.9.0
Compare Source
OpenAPI keyword
nullable
can be any boolean (and not onlytrue
).Custom keyword definition changes:
dependencies
option in to require the presence of keywords in the same schema.v6.8.1
Compare Source
v6.8.0
Compare Source
Docs: security considerations.
Meta-schema for the security assessment of JSON Schemas.
v6.7.0
Compare Source
Option
useDefaults: "empty"
to replacenull
and""
(empty strings) with default values (in addition to assigning defaults to missing and undefined properties).Update draft-04 meta-schema to remove incorrect usage of "uri" format.
v6.6.2
Compare Source
v6.6.1
Compare Source
v6.6.0
Compare Source
Keyword "nullable" from OpenAPI spec
Replaced phantomjs with headless chrome
v6.5.5
Compare Source
v6.5.4
Compare Source
v6.5.3
Compare Source
v6.5.2
Compare Source
v6.5.1
Compare Source
v6.5.0
Compare Source
With option
passContext
, the context is now passed in recursive/mutually recursive refs (@cvlab, #768).v6.4.0
Compare Source
Support URNs in $id - core
url
package is replaced withurl-js
(#423, @sondrele).v6.3.0
Compare Source
Typescript declarations updated to use PromiseLike (#717, @krenor)
v6.2.1
Compare Source
v6.2.0
Compare Source
Parameter
allowedValue
in the error ofconst
keyword (#713, @marshall007).v6.1.1
Compare Source
v6.1.0
Compare Source
A different error message for additionalProperties error with
errorDataPath: 'property'
option (#671, @lehni)v6.0.1
Compare Source
v6.0.0
Compare Source
Changes from v5.5.2
draft-07 support:
if
/then
/else
keywords$comment
keywordSchema IDs
$id
keyword is used as schema ID by default.schemaId
option should be set to "id" or "auto" forid
keyword to be used.See Options.
Formats
date
,date-time
,time
: support leap year and leap secondjson-pointer
: only validates a string format of JSON pointerjson-pointer-uri-fragment
: to validate uri-fragment format of JSON pointerKeyword changes
uniqueItems
keyword to validate an array of same-type scalars in one passuniqueItems
andcontains
are validated afteritems
and type coercion (withcoerceTypes
option)oneOf
keywordpatternGroups
keywordexamples
,readOnly
,writeOnly
,contentEncoding
,contentMediaType
.Other
then
/else
keywords.$comment
to log/pass to a function strings from$comment
keyword.v5.5.2
Compare Source
v5.5.1
Compare Source
v5.5.0
Compare Source
Support chaining of methods add* and remove* (#625, @pithu), see Api.
v5.4.0
Compare Source
Option
logger
to disable logging or to specify a custom logger (#618, @meirotstein).v5.3.0
Compare Source
Replace json-stable-stringify with a faster fork without jsonify.
v5.2.5
Compare Source
v5.2.4
Compare Source
v5.2.3
Compare Source
v5.2.2
Compare Source
v5.2.1
Compare Source
v5.2.0
: 5.2.0Compare Source
Refactor: separate "equal" into package fast-deep-equal
v5.1.6
Compare Source
v5.1.5
Compare Source
v5.1.4
Compare Source
v5.1.3
Compare Source
v5.1.2
Compare Source
v5.1.1
Compare Source
v5.1.0
Compare Source
Changed order of type validation - "type" keyword is now validated before keywords that apply to all types.
v5.0.1
Compare Source
v5.0.0
Compare Source
This release is fully backward compatible, but it may require either migrating your schemas (recommended, e.g. using "migrate" command of ajv-cli) or changing your code that uses Ajv.
You can still use draft-04 and v5 schemas with this release (see Migration guide below).
The changes below are based on 4.11.7 version.
JSON-Schema draft-06 support
true
/false
can be used in order to always pass/fail validation.$id
keyword is used as schema URI (previouslyid
).exclusiveMaximum
andexclusiveMinimum
keywords must be numbers (previously boolean).See Internet drafts: JSON Schema, JSON Schema Validation.
Migrating from Ajv 4.x.x
Migrate your schemas
It is a recommended approach.
Required changes
id
with$id
$schema
exclusiveMaximum/Minimum
with numeric formconstant
withconst
Optional changes
enum
with a single allowed value withconst
true
{"not":{}}
withfalse
You can use "migrate" command of ajv-cli to make these changes to your schemas.
If you need to continue using draft-04 schemas
If you need to continue using schemas requiring v5 mode of Ajv
Changes
Validation keywords
Moved/deprecated:
patternRequired
.Formats
Methods
compileAsync
method returns Promise and supports async loading of meta-schemas (#249, #334).Options
schemaId
determining whether $id, id or both are used.$data
for $data reference support.ownProperties
supports all keywords (#197).serialize
to replace json-stable-stringify with another function to serialise schemas.meta: false
is used withoutvalidateSchema: false
.processCode: function() {}
can be used to beautify/transpile generated code.beautify: true
is no longer supported.v5
is no longer used.Option defaults changed:
"ignore"
- when $ref is used other keywords are ignored (wastrue
) (#294).false
- do not store source code of validation functions (wastrue
) (#309).true
- fail schema compilation (was"ignore"
) (#324).Asynchronous validation
transpile
option support require ajv-async package."co*"
(co-wrapped generator functions).processCode
option. See Options.true
).Other
console.warn
andconsole.error
(#265).Related packages
Compatible versions are:
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.