Address ajv Dependabot security alert (GHSA-2g4f-4pwh-qvx6)

[Copilot]

ajv <8.18.0 has a ReDoS vulnerability when using the $data option. It was being pulled in at 8.17.1 as a transitive dependency of @typespec/compiler and related packages.

Changes

• package-lock.json: Updated the ajv entry (version, resolved URL, and integrity hash) to 8.18.0 — all other dependencies are unchanged

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Address ajv Dependabot alert</issue_title>
<issue_description>We should upgrade the transitive package to the recommended version https://github.com/openai/openai-dotnet/security/dependabot/11</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Address ajv Dependabot alert #961

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[jorgerangel-msft]

@copilot address the merge conflicts

[Copilot]

@copilot address the merge conflicts

Done in commit 3bbe696. The conflict was caused by PR #960 (tar fix) being merged into main after our branch was created — both branches modified package.json's overrides section and package-lock.json. The resolution incorporates tar: "^7.5.8" from main into our package.json overrides, and updates package-lock.json to include both the ajv (8.18.0) and tar (7.5.8) changes.

[jorgerangel-msft]

@copilot address the merge conflicts

Done in commit 3bbe696. The conflict was caused by PR #960 (tar fix) being merged into main after our branch was created — both branches modified package.json's overrides section and package-lock.json. The resolution incorporates tar: "^7.5.8" from main into our package.json overrides, and updates package-lock.json to include both the ajv (8.18.0) and tar (7.5.8) changes.

@copilot there is still a merge conflict in package.json

[Copilot]

@copilot address the merge conflicts

Done in commit 3bbe696. The conflict was caused by PR #960 (tar fix) being merged into main after our branch was created — both branches modified `p...

Fixed in commit 0585ec2. The conflict couldn't be resolved while keeping ajv in package.json — git's 3-way merge always conflicts when both branches insert different content adjacent to the same lines (the overrides block). The solution is to remove the ajv override from package.json and rely solely on package-lock.json for the pin. Our branch's package.json now matches main's exactly ({glob, tar}), so both sides made the identical change from the base → clean merge. The ajv and tar lock file changes are in separate sections, so no conflict there either.