chore: pin ajv to 6.14.0 to avoid security problem

[Gonzo17]

Summary

Pin to 6.14.0, because with higher versions linting fails, but lower versions have a security issue.

Related issue(s)

Closes #91

Type of change

• Bug fix
• Feature
• Refactor
• Docs
• CI

Checklist

• Tests added/updated
• i18n keys added/updated (if needed)
• No breaking changes

Screenshots

(If UI change)

Summary by CodeRabbit

• Chores
  • Updated workspace dependency version pinning for improved consistency and stability across environments.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a single override entry to pnpm-workspace.yaml that pins ajv to version 6.14.0 for dependency versions below that threshold. This addresses a moderate vulnerability in eslint's transitive ajv dependency.

Changes

Cohort / File(s)	Summary
Dependency Override Configuration pnpm-workspace.yaml	Added ajv version override pinning to address transitive dependency vulnerability in eslint.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fix: override devalue and minimatch to prevent security issues #111: Modifies pnpm-workspace.yaml overrides to pin/replace transitive dependencies (devalue and minimatch overrides), following the same pattern of using pnpm overrides to manage vulnerability fixes.

Poem

🐰 Hops with glee, ajv now pinned,
A version override tucked within,
No vulnerabilities shall break the build,
Our workspace dependencies now fulfilled! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR addresses issue #91 by pinning ajv to 6.14.0, which partially fulfills the security vulnerability fix objective, but omits the tar vulnerability fix also specified in #91.	Address both vulnerabilities from issue #91: in addition to the ajv fix, also add a pnpm override for tar (>=7.5.8) to resolve the HIGH severity vulnerability mentioned in the issue.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: pinning ajv to 6.14.0 for security reasons.
Description check	✅ Passed	The description covers all required sections: summary, related issue, type of change, and checklist, following the template structure.
Out of Scope Changes check	✅ Passed	The single change to pin ajv is directly within scope of issue #91, which recommends using pnpm.overrides to address the vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/audit

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pnpm-workspace.yaml`:
- Line 9: The override currently pins ajv to 6.14.0 using the string
"ajv@<6.14.0: 6.14.0" but that does not remediate CVE-2025-69873 because all
versions through 8.17.1 are vulnerable; update the pnpm override for the ajv
package (the "ajv" override entry) to pin to the fixed release 8.18.0 instead so
that consumers resolve to a non-vulnerable ajv version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, find and examine the pnpm-workspace.yaml file
git ls-files | grep -E '(pnpm-workspace|pnpm-lock)'

Repository: flumen-dev/flumen.dev

Length of output: 99

---

🏁 Script executed:

# Look at the pnpm-workspace.yaml file to see the current state
cat -n pnpm-workspace.yaml

Repository: flumen-dev/flumen.dev

Length of output: 334

---

🏁 Script executed:

# Check if pnpm-lock.yaml exists and examine ajv versions
if [ -f pnpm-lock.yaml ]; then
  echo "=== Checking ajv entries in pnpm-lock.yaml ==="
  rg -n 'ajv@' pnpm-lock.yaml | head -30
else
  echo "pnpm-lock.yaml not found"
fi

Repository: flumen-dev/flumen.dev

Length of output: 173

---

🏁 Script executed:

# Look for issue `#91` or any related documentation/comments about the ajv vulnerability
rg -r '#91|ajv.*advisory|ajv.*vulnerab' --type md --type txt --type yaml . | head -20

Repository: flumen-dev/flumen.dev

Length of output: 16415

---

🏁 Script executed:

# Check git history for context about this change
git log --oneline --all | grep -i ajv | head -10

Repository: flumen-dev/flumen.dev

Length of output: 123

---

🌐 Web query:

ajv CVE vulnerability 6.14.0 8.18.0 fix

💡 Result:

For Ajv (npm ajv), the “what version fixes it?” depends on which CVE you mean:

• CVE-2025-69873 (ReDoS when $data is enabled and pattern is attacker-controlled)
  Affected: Ajv through 8.17.1 (i.e., < 8.18.0, so 6.14.0 is affected) • Fixed: upgrade to 8.18.0+. The upstream fix was merged Feb 14, 2026 and released as 8.18.0. [1][2][3]

• CVE-2020-15366 (prototype pollution / potential code execution via crafted schema in ajv.validate())
  Affected: Ajv 6.12.2 • Fixed: 6.12.3+ (so 6.14.0 is not affected). [4]

If you can’t upgrade immediately for CVE-2025-69873, mitigate by not enabling $data (or ensuring $data-sourced pattern values can’t be attacker-controlled). [1]

Sources
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69873
[2] ajv-validator/ajv#2586
[3] https://security.snyk.io/package/npm/ajv
[4] https://nvd.nist.gov/vuln/detail/CVE-2020-15366

---

🌐 Web query:

ajv security advisory 2024 2025 vulnerable versions

💡 Result:

For Ajv (npm package ajv), I could not find any Ajv-specific CVEs/GHSAs that were published in 2024 or 2025. The Ajv advisory that’s currently driving “vulnerable versions” alerts was published Feb 11, 2026 (not 2024/2025): CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6. [1][2]

CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6 (ReDoS with $data)

• Vulnerable Ajv versions: <= 8.17.1 (i.e., < 8.18.0) [1][2]
• Fixed version: 8.18.0 [3]
• Condition: exploitable when Ajv is used with $data option enabled, allowing attacker-controlled regex patterns to reach RegExp() and trigger catastrophic backtracking (ReDoS). [1][2]

Sources: NVD CVE record [1], OSV/GHSA record [2], Snyk package page (shows latest as non-vulnerable and indicates fix at 8.18.0) [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69873
[2] https://osv.dev/vulnerability/GHSA-2g4f-4pwh-qvx6
[3] https://security.snyk.io/package/npm/ajv

---

🏁 Script executed:

# Look for any GitHub issues or PR references in the repo
find . -type f \( -name "*.md" -o -name "*.txt" -o -name ".github" \) -exec grep -l "ajv\|#91" {} \; | head -20

Repository: flumen-dev/flumen.dev

Length of output: 47

---

🏁 Script executed:

# Check if there's a package.json or similar that might reference the issue
cat -n package.json 2>/dev/null | head -50

Repository: flumen-dev/flumen.dev

Length of output: 2138

---

🏁 Script executed:

# Find which packages depend on ajv
rg -r "ajv" --type json pnpm-lock.yaml | head -30

Repository: flumen-dev/flumen.dev

Length of output: 47

---

🏁 Script executed:

# Check if $data option is enabled anywhere in the codebase
rg -r '\$data' . --type js --type ts --type json | head -20

Repository: flumen-dev/flumen.dev

Length of output: 756

---

Override doesn't remediate the ajv CVE-2025-69873 vulnerability (still vulnerable).

Line 9 only forces versions below 6.14.0 to 6.14.0, but the Ajv ReDoS advisory (CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6) affects all versions through 8.17.1 and is fixed in 8.18.0. This leaves 6.14.0 vulnerable and doesn't satisfy the security objective. Update the override to pin to 8.18.0:

🔧 Proposed fix

 overrides:
-  ajv@<6.14.0: 6.14.0
+  ajv@<8.18.0: 8.18.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ajv@<6.14.0: 6.14.0
	overrides:
	ajv@<8.18.0: 8.18.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pnpm-workspace.yaml` at line 9, The override currently pins ajv to 6.14.0
using the string "ajv@<6.14.0: 6.14.0" but that does not remediate
CVE-2025-69873 because all versions through 8.17.1 are vulnerable; update the
pnpm override for the ajv package (the "ajv" override entry) to pin to the fixed
release 8.18.0 instead so that consumers resolve to a non-vulnerable ajv
version.