Bump ajv from 6.12.2 to 6.14.0 in /Tools/WebKitBot#45
Bump ajv from 6.12.2 to 6.14.0 in /Tools/WebKitBot#45dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [ajv](https://github.com/ajv-validator/ajv) from 6.12.2 to 6.14.0. - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.2...v6.14.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
![semgrep-code-squarespace[bot]](https://avatars.githubusercontent.com/u/722929?s=60&v=4){kind=small}
| "version": "5.0.0", | ||
| "resolved": "https://registry.npmjs.org/throat/-/throat-5.0.0.tgz", | ||
| "integrity": "sha512-fcwX4mndzpLQKBS1DVYhGAcYaYt7vsHNIvQV+WXMvnow5cgjPphq5CaayLaGsjRdSCKZFNGt7/GYAuXaNOiYCA==" | ||
| }, | ||
| "tmpl": { | ||
| "node_modules/tmpl": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 5733 lists a dependency (tmpl) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
tmpl versions before 1.0.5 are vulnerable to Uncontrolled Resource Consumption when formatting a string.
To resolve this comment:
Upgrade this dependency to at least version 1.0.5 at Tools/WebKitBot/package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "@babel/code-frame": "^7.10.3", | ||
| "@babel/parser": "^7.10.3", | ||
| "@babel/types": "^7.10.3" | ||
| } | ||
| }, | ||
| "@babel/traverse": { | ||
| "node_modules/@babel/traverse": { |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 379 lists a dependency (@babel/traverse) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.
To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.
- If you're affected, upgrade this dependency to at least version 7.23.2 at Tools/WebKitBot/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
Bumps ajv from 6.12.2 to 6.14.0.
Release notes
Sourced from ajv's releases.
Commits
e3af0a76.14.0b552ed6add regExp option to address $data exploit via a regular expression (CVE-2025...72f2286docs: update v7 info231e52bMerge pull request #1320 from philsturgeon/patch-1d3475fcAdd spectral, an AJV util from a sponsor413afe0docs: v7.0.0-beta.311e997bupdate readme for v7fe591436.12.6d580d3eMerge pull request #1298 from ajv-validator/fix-urlfd36389fix: regular expression for "url" formatDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.