build(deps): bump ajv from 8.17.1 to 8.18.0 in /backend in the npm_and_yarn group across 1 directory #10

Closed

dependabot[bot] wants to merge 1 commit from dependabot/npm_and_yarn/backend/npm_and_yarn-74e8754882 into main

dependabot[bot] commented

2026-02-20 06:45:55 +00:00

(Migrated from github.com)

Bumps the npm_and_yarn group with 1 update in the /backend directory: ajv.

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in ajv-validator/ajv#2480

fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in ajv-validator/ajv#2487

fix: small grammatical error in managing-schemas.md by @monteiro-renato in ajv-validator/ajv#2508

fix: typos in schema-language.md by @monteiro-renato in ajv-validator/ajv#2507

fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in ajv-validator/ajv#2586

New Contributors

@josdejong made their first contribution in ajv-validator/ajv#2480

@monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0

Commits

142ce84 8.18.0
720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
82735a1 fix: typos in schema-language.md (#2507)
b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 1 update in the /backend directory: [ajv](https://github.com/ajv-validator/ajv). Updates `ajv` from 8.17.1 to 8.18.0 <details> <summary>Release notes</summary> Sourced from <a href="https://github.com/ajv-validator/ajv/releases">ajv's releases</a>. <blockquote> <h2>v8.18.0</h2> <h2>What's Changed</h2> <ul> <li>feat: allow tree-shaking by adding <code>"sideEffects": false</code> to <code>package.json</code> by <a href="https://github.com/josdejong"><code>@josdejong</code></a> in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2480">ajv-validator/ajv#2480</a></li> <li>fix: <a href="https://redirect.github.com/ajv-validator/ajv/issues/2482">#2482</a> Infinity and NaN serialise to null by <a href="https://github.com/jasoniangreen"><code>@jasoniangreen</code></a> in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2487">ajv-validator/ajv#2487</a></li> <li>fix: small grammatical error in managing-schemas.md by <a href="https://github.com/monteiro-renato"><code>@monteiro-renato</code></a> in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2508">ajv-validator/ajv#2508</a></li> <li>fix: typos in schema-language.md by <a href="https://github.com/monteiro-renato"><code>@monteiro-renato</code></a> in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2507">ajv-validator/ajv#2507</a></li> <li>fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by <a href="https://github.com/epoberezkin"><code>@epoberezkin</code></a> in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2586">ajv-validator/ajv#2586</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/josdejong"><code>@josdejong</code></a> made their first contribution in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2480">ajv-validator/ajv#2480</a></li> <li><a href="https://github.com/monteiro-renato"><code>@monteiro-renato</code></a> made their first contribution in <a href="https://redirect.github.com/ajv-validator/ajv/pull/2508">ajv-validator/ajv#2508</a></li> </ul> Full Changelog: <a href="https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0">https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0</a> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ajv-validator/ajv/commit/142ce84b807c4fe66e619c22480a28d0e4bd50fa"><code>142ce84</code></a> 8.18.0</li> <li><a href="https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5"><code>720a23f</code></a> fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...</li> <li><a href="https://github.com/ajv-validator/ajv/commit/82735a15826a30cc51e97a1bbfb59b3d388e4b98"><code>82735a1</code></a> fix: typos in schema-language.md (<a href="https://redirect.github.com/ajv-validator/ajv/issues/2507">#2507</a>)</li> <li><a href="https://github.com/ajv-validator/ajv/commit/b17ec32cd97542e90ae27231d8a8bce88b9e53b6"><code>b17ec32</code></a> fix: small grammatical error in managing-schemas.md (<a href="https://redirect.github.com/ajv-validator/ajv/issues/2508">#2508</a>)</li> <li><a href="https://github.com/ajv-validator/ajv/commit/69568d08564303e2c32a2de61feb833b41075f96"><code>69568d0</code></a> fix: <a href="https://redirect.github.com/ajv-validator/ajv/issues/2482">#2482</a> Infinity and NaN serialise to null (<a href="https://redirect.github.com/ajv-validator/ajv/issues/2487">#2487</a>)</li> <li><a href="https://github.com/ajv-validator/ajv/commit/f06766f33ed7291f84c19f22a1286a34475fbdaf"><code>f06766f</code></a> feat: allow tree-shaking by adding ``"sideEffects": false<code>to</code>package.json` ...</li> <li>See full diff in <a href="https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0">compare view</a></li> </ul> </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ajv&package-manager=npm_and_yarn&previous-version=8.17.1&new-version=8.18.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/BothimTV/punktesystem/network/alerts). </details>

coderabbitai[bot] commented

2026-02-20 06:46:06 +00:00

(Migrated from github.com)

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

> [!IMPORTANT] > ## Review skipped > > Bot user detected. > > To trigger a single review, invoke the `@coderabbitai review` command. > > You can disable this status message by setting the `reviews.review_status` to `false` in the CodeRabbit configuration file. > > Use the checkbox below for a quick retry: > - [ ]  🔍 Trigger review   --- Comment `@coderabbitai help` to get the list of available commands and usage tips.

socket-security[bot] commented

2026-02-20 06:46:29 +00:00

(Migrated from github.com)

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern. Confidence: 1.00 Severity: 0.60 From: backend/pnpm-lock.yaml → `npm/fastify@5.7.4` → `npm/ajv@8.18.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@8.18.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code. Confidence: 1.00 Severity: 0.60 From: backend/pnpm-lock.yaml → `npm/fastify@5.7.4` → `npm/ajv@8.18.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@8.18.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach. Confidence: 1.00 Severity: 0.60 From: backend/pnpm-lock.yaml → `npm/fastify@5.7.4` → `npm/ajv@8.18.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@8.18.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

> [!WARNING] > **Review the following alerts detected in dependencies.** > > According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about [Socket for GitHub](https://socket.dev?utm_medium=gh). <table> <thead> <tr> <th>Action</th> <th>Severity</th> <th width="800px" align="left">Alert &emsp;(click "▶" to expand/collapse)</th> </tr> </thead> <tbody> <tr> <td valign="top">Warn</td> <td align="center" valign="top"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=QeVe3wi4rbrVHpSbgRxjJVxq6iur9noUWDV6k7HoIJ1A"><img src="https://github-app-statics.socket.dev/severity-0.svg" title="Low" width="20" height="20" alt="Low"></a></td> <td><details open><summary>Potential code anomaly (AI signal): npm <code>ajv</code> is 100.0% likely to have a medium risk anomaly</summary> Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern. Confidence: 1.00 Severity: 0.60 From: <a href="https://github.com/BothimTV/punktesystem/pull/10/files#diff-fb429ecafbe4e144270ebf9fc9ca42c5148da647fcc0484997636174589bf0c9">backend/pnpm-lock.yaml</a> → <code>npm/fastify@5.7.4</code> → <code>npm/ajv@8.18.0</code> ℹ Read more on: <a href="https://socket.dev/npm/package/ajv/overview/8.18.0">This package</a> | <a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=QeVe3wi4rbrVHpSbgRxjJVxq6iur9noUWDV6k7HoIJ1A">This alert</a> | <a href="https://socket.dev/alerts/gptAnomaly">What is an AI-detected potential code anomaly?</a> <blockquote> Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at <code>support@socket.dev</code>. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment <code>@SocketSecurity ignore npm/ajv@8.18.0</code>. You can also ignore all packages with <code>@SocketSecurity ignore-all</code>. To ignore an alert for all future pull requests, use Socket's Dashboard to change the <a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=QeVe3wi4rbrVHpSbgRxjJVxq6iur9noUWDV6k7HoIJ1A">triage state of this alert</a>. </blockquote> </details></td> </tr> <tr> <td valign="top">Warn</td> <td align="center" valign="top"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=QPyM17ZfCPw-6A08GupkIYcBvYSDY9_xR-k1DbzqJYMI"><img src="https://github-app-statics.socket.dev/severity-0.svg" title="Low" width="20" height="20" alt="Low"></a></td> <td><details><summary>Potential code anomaly (AI signal): npm <code>ajv</code> is 100.0% likely to have a medium risk anomaly</summary> Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code. Confidence: 1.00 Severity: 0.60 From: <a href="https://github.com/BothimTV/punktesystem/pull/10/files#diff-fb429ecafbe4e144270ebf9fc9ca42c5148da647fcc0484997636174589bf0c9">backend/pnpm-lock.yaml</a> → <code>npm/fastify@5.7.4</code> → <code>npm/ajv@8.18.0</code> ℹ Read more on: <a href="https://socket.dev/npm/package/ajv/overview/8.18.0">This package</a> | <a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=QPyM17ZfCPw-6A08GupkIYcBvYSDY9_xR-k1DbzqJYMI">This alert</a> | <a href="https://socket.dev/alerts/gptAnomaly">What is an AI-detected potential code anomaly?</a> <blockquote> Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at <code>support@socket.dev</code>. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment <code>@SocketSecurity ignore npm/ajv@8.18.0</code>. You can also ignore all packages with <code>@SocketSecurity ignore-all</code>. To ignore an alert for all future pull requests, use Socket's Dashboard to change the <a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=QPyM17ZfCPw-6A08GupkIYcBvYSDY9_xR-k1DbzqJYMI">triage state of this alert</a>. </blockquote> </details></td> </tr> <tr> <td valign="top">Warn</td> <td align="center" valign="top"><a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=Qh9nkVCPGclCt1cjd1etPyt_2O7cfnT4WgB2XJJO7Pyk"><img src="https://github-app-statics.socket.dev/severity-0.svg" title="Low" width="20" height="20" alt="Low"></a></td> <td><details><summary>Potential code anomaly (AI signal): npm <code>ajv</code> is 100.0% likely to have a medium risk anomaly</summary> Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach. Confidence: 1.00 Severity: 0.60 From: <a href="https://github.com/BothimTV/punktesystem/pull/10/files#diff-fb429ecafbe4e144270ebf9fc9ca42c5148da647fcc0484997636174589bf0c9">backend/pnpm-lock.yaml</a> → <code>npm/fastify@5.7.4</code> → <code>npm/ajv@8.18.0</code> ℹ Read more on: <a href="https://socket.dev/npm/package/ajv/overview/8.18.0">This package</a> | <a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=Qh9nkVCPGclCt1cjd1etPyt_2O7cfnT4WgB2XJJO7Pyk">This alert</a> | <a href="https://socket.dev/alerts/gptAnomaly">What is an AI-detected potential code anomaly?</a> <blockquote> Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at <code>support@socket.dev</code>. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment <code>@SocketSecurity ignore npm/ajv@8.18.0</code>. You can also ignore all packages with <code>@SocketSecurity ignore-all</code>. To ignore an alert for all future pull requests, use Socket's Dashboard to change the <a href="https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&alert_item_key=Qh9nkVCPGclCt1cjd1etPyt_2O7cfnT4WgB2XJJO7Pyk">triage state of this alert</a>. </blockquote> </details></td> </tr> </tbody> </table> [View full report](https://socket.dev/dashboard/org/BothimTV/diff-scan/f90cf9d8-944c-40af-a1ba-cbc53ed0aac6?tab=alerts&action=error%2Cwarn)

dependabot[bot] commented

2026-02-20 11:57:36 +00:00

(Migrated from github.com)

Superseded by #11.

Commenting is not possible because the repository is archived.

No reviewers