Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump oas-validator ajv dependency to 6.12.3 #261

Closed
lucaslago opened this issue Jul 29, 2020 · 5 comments
Closed

Bump oas-validator ajv dependency to 6.12.3 #261

lucaslago opened this issue Jul 29, 2020 · 5 comments

Comments

@lucaslago
Copy link

Hi, any plans on updating AJV to 6.12.3? That version has a patch for a prototype pollution vulnerability on AJV https://snyk.io/vuln/SNYK-JS-AJV-584908.

I'm happy to try to get a PR going if that's aligned with this package's goals.
@lucaslago lucaslago changed the title Bump oas-valiator ajv dependency to 6.12.3 Bump oas-validator ajv dependency to 6.12.3 Jul 29, 2020
@MikeRalphson
Copy link
Contributor

Thanks. The current plan is to remove ajv in the next major version, and replace with either https://github.com/ExodusMovement/schemasafe or https://github.com/hyperjump-io/json-schema-validator depending on whichever gets us better error messages.

@lucaslago lucaslago mentioned this issue Jul 30, 2020
Closed
@MikeRalphson
Copy link
Contributor

I should have made clear, the change to remove ajv is imminent.

@lucaslago
Copy link
Author

@MikeRalphson that's great news, is there a planned date for that release?

@MikeRalphson
Copy link
Contributor

Let me see if there is milestone date on schemasafe coming out of RC stage...

@MikeRalphson MikeRalphson mentioned this issue Aug 8, 2020
Closed
@maxiejbe maxiejbe mentioned this issue Aug 8, 2020
Merged
@MikeRalphson MikeRalphson mentioned this issue Aug 18, 2020
Closed
@supertong supertong mentioned this issue Aug 22, 2020
Closed
@MikeRalphson
Copy link
Contributor

oas-validator@5.0.0 has been released which addresses this security vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump oas-validator ajv dependency to 6.12.3 lucaslago/oas-kit
2 participants
@MikeRalphson @lucaslago