Skip to content

chore: resolve open dependabot security alerts#217

Open
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#217
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Jun 1, 2026
edited
Loading

Summary

  • Replaced the abandoned ajv-cli@5.0.0 with @jirutka/ajv-cli@^6.0.0, a maintained fork that declares fast-json-patch: ^3.1.1 natively. This resolves the prototype pollution vulnerability (alert Add flag definition #1, high severity) without any overrides entry.
  • Regenerated package-lock.json; npm audit reports zero vulnerabilities.
  • Added -o /dev/null to the ajv compile invocations in the Makefile. In @jirutka/ajv-cli@6, running ajv compile without -o dumps the full compiled JS validator module to stdout (an intentional breaking change from v5, where that output was silently discarded). Since this target only validates schemas and never captures compiled output, -o /dev/null restores the original behavior: just the schema X is valid status lines.

Notes

ajv-cli has had no release since v5.0.0 in March 2021. The upstream fix PR (ajv-validator/ajv-cli#227) has been open for 3+ years with no maintainer response. @jirutka/ajv-cli is a maintained fork published on npm under the same ajv binary name; the compile -s/-r interface used in this repo is unchanged.

@jonathannorris
chore: resolve open dependabot security alerts
a0e79da 
- fast-json-patch <3.1.1 -> ^3.1.1 via npm overrides scoped to ajv-cli (high, alert #1)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris requested a review from a team as a code owner June 1, 2026 14:07
@jonathannorris jonathannorris marked this pull request as draft June 1, 2026 14:07
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds an override in package.json to force ajv-cli to use fast-json-patch version ^3.1.1, with corresponding updates in package-lock.json. Feedback was provided to run npm install to ensure the overrides metadata is correctly mirrored in the root of package-lock.json to prevent the lockfile from being out of sync.

Comment thread package-lock.json
@jonathannorris
chore: replace ajv-cli with maintained fork @jirutka/ajv-cli
2e83bf3 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris marked this pull request as ready for review June 1, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beeme1mr beeme1mr Awaiting requested review from beeme1mr

@aepfli aepfli Awaiting requested review from aepfli

@toddbaert toddbaert Awaiting requested review from toddbaert

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonathannorris