From 4c82f270bf2928653c028e48c92ca565b22a451f Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Sun, 17 May 2026 06:04:49 +0000
Subject: [PATCH] fix(root): resolve moderate ajv and brace-expansion
 vulnerabilities fixes DOC-325

- GHSA-2g4f-4pwh-qvx6 (CVE-2025-69873): pnpm overrides for eslint ajv 6.x
  (^6.14.0) and @scalar/openapi-parser>ajv (^8.18.0) to avoid hoisting ajv 8
  where @novu/framework expects ajv 6.
- GHSA-f886-m6hf-6m8v (CVE-2026-33750): override brace-expansion to ^1.1.13.

Strategy: pnpm overrides (transitive fixes).

Co-authored-by: Dima Grossman <dima@grossman.io>
---
 package.json   |  3 +++
 pnpm-lock.yaml | 69 +++++++++++++++++++++++---------------------------
 2 files changed, 34 insertions(+), 38 deletions(-)

diff --git a/package.json b/package.json
index 15b3c49fd..7bc9c9167 100644
--- a/package.json
+++ b/package.json
@@ -109,7 +109,10 @@
   "pnpm": {
     "overrides": {
       "@babel/plugin-transform-modules-systemjs@>=7.12.0 <=7.29.3": "^7.29.4",
+      "ajv@<6.14.0": "^6.14.0",
+      "@scalar/openapi-parser>ajv": "^8.18.0",
       "altcha-lib": "^1.4.1",
+      "brace-expansion@<1.1.13": "^1.1.13",
       "defu@<=6.1.4": "^6.1.5",
       "estree-util-value-to-estree@<3.3.3": "^3.3.3",
       "fast-uri@<=3.1.1": "^3.1.2",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 090ddb1df..cc9593e62 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6,7 +6,10 @@ settings:
 
 overrides:
   '@babel/plugin-transform-modules-systemjs@>=7.12.0 <=7.29.3': ^7.29.4
+  ajv@<6.14.0: ^6.14.0
+  '@scalar/openapi-parser>ajv': ^8.18.0
   altcha-lib: ^1.4.1
+  brace-expansion@<1.1.13: ^1.1.13
   defu@<=6.1.4: ^6.1.5
   estree-util-value-to-estree@<3.3.3: ^3.3.3
   fast-uri@<=3.1.1: ^3.1.2
@@ -101,7 +104,7 @@ importers:
         version: 11.5.7(acorn@8.14.0)(fumadocs-core@15.2.11(@types/react@19.0.12)(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))
       fumadocs-openapi:
         specifier: ^8.1.2
-        version: 8.1.2(@scalar/api-client-react@1.2.7(@hyperjump/browser@1.2.0)(react@19.0.0)(tailwindcss@4.0.15)(typescript@5.8.2))(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(ajv@8.17.1)(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react-dom@19.0.0(react@19.0.0))(react@19.0.0)(tailwindcss@4.0.15)
+        version: 8.1.2(@scalar/api-client-react@1.2.7(@hyperjump/browser@1.2.0)(react@19.0.0)(tailwindcss@4.0.15)(typescript@5.8.2))(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(ajv@8.18.0)(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react-dom@19.0.0(react@19.0.0))(react@19.0.0)(tailwindcss@4.0.15)
       fumadocs-twoslash:
         specifier: ^3.1.0
         version: 3.1.0(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(fumadocs-ui@15.2.11(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react-dom@19.0.0(react@19.0.0))(react@19.0.0)(tailwindcss@4.0.15))(react-dom@19.0.0(react@19.0.0))(react@19.0.0)(shiki@2.5.0)(typescript@5.8.2)
@@ -3426,18 +3429,15 @@ packages:
   ajv-keywords@3.5.2:
     resolution: {integrity: sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==}
     peerDependencies:
-      ajv: ^6.9.1
+      ajv: ^6.14.0
 
   ajv-keywords@5.1.0:
     resolution: {integrity: sha512-YCS/JNFAUyr5vAuhk1DWm1CBxRHW9LbJ2ozWeemrIqpbsqKjHVxYPyi5GC0rjZIT5JxJ3virVTS8wk4i/Z+krw==}
     peerDependencies:
       ajv: ^8.8.2
 
-  ajv@6.12.6:
-    resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==}
-
-  ajv@8.17.1:
-    resolution: {integrity: sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==}
+  ajv@6.15.0:
+    resolution: {integrity: sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==}
 
   ajv@8.18.0:
     resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==}
@@ -3565,7 +3565,7 @@ packages:
     resolution: {integrity: sha512-UW+IsFycygIo7bclP9h5ugkNH8EjCSgqyFB/yQ4Hqqa1OEYDtb0uFIkYE0b6+CjkgJYVM5UKI/pJPxjYe9EZlA==}
     engines: {node: '>= 12.13.0'}
     peerDependencies:
-      ajv: 4.11.8 - 8
+      ajv: ^6.14.0
 
   big.js@5.2.2:
     resolution: {integrity: sha512-vyL2OymJxmarO8gxMr0mhChsO9QGwhynfuu4+MHTAW6czfq9humCB7rKpUjDd9YUiDPU4mzpyupFSvOClAwbmQ==}
@@ -3573,8 +3573,8 @@ packages:
   boolbase@1.0.0:
     resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==}
 
-  brace-expansion@1.1.11:
-    resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}
+  brace-expansion@1.1.14:
+    resolution: {integrity: sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==}
 
   brace-expansion@2.1.0:
     resolution: {integrity: sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==}
@@ -8111,7 +8111,7 @@ snapshots:
 
   '@eslint/eslintrc@2.1.4':
     dependencies:
-      ajv: 6.12.6
+      ajv: 6.15.0
       debug: 4.4.0
       espree: 9.6.1
       globals: 13.24.0
@@ -9819,18 +9819,18 @@ snapshots:
 
   '@scalar/openapi-parser@0.10.12':
     dependencies:
-      ajv: 8.17.1
-      ajv-draft-04: 1.0.0(ajv@8.17.1)
-      ajv-formats: 3.0.1(ajv@8.17.1)
+      ajv: 8.18.0
+      ajv-draft-04: 1.0.0(ajv@8.18.0)
+      ajv-formats: 3.0.1(ajv@8.18.0)
       jsonpointer: 5.0.1
       leven: 4.0.0
       yaml: 2.7.0
 
   '@scalar/openapi-parser@0.10.16':
     dependencies:
-      ajv: 8.17.1
-      ajv-draft-04: 1.0.0(ajv@8.17.1)
-      ajv-formats: 3.0.1(ajv@8.17.1)
+      ajv: 8.18.0
+      ajv-draft-04: 1.0.0(ajv@8.18.0)
+      ajv-formats: 3.0.1(ajv@8.18.0)
       jsonpointer: 5.0.1
       leven: 4.0.0
       yaml: 2.7.0
@@ -10778,41 +10778,34 @@ snapshots:
       clean-stack: 4.2.0
       indent-string: 5.0.0
 
-  ajv-draft-04@1.0.0(ajv@8.17.1):
+  ajv-draft-04@1.0.0(ajv@8.18.0):
     optionalDependencies:
-      ajv: 8.17.1
+      ajv: 8.18.0
 
   ajv-formats@2.1.1(ajv@8.18.0):
     optionalDependencies:
       ajv: 8.18.0
 
-  ajv-formats@3.0.1(ajv@8.17.1):
+  ajv-formats@3.0.1(ajv@8.18.0):
     optionalDependencies:
-      ajv: 8.17.1
+      ajv: 8.18.0
 
-  ajv-keywords@3.5.2(ajv@6.12.6):
+  ajv-keywords@3.5.2(ajv@6.15.0):
     dependencies:
-      ajv: 6.12.6
+      ajv: 6.15.0
 
   ajv-keywords@5.1.0(ajv@8.18.0):
     dependencies:
       ajv: 8.18.0
       fast-deep-equal: 3.1.3
 
-  ajv@6.12.6:
+  ajv@6.15.0:
     dependencies:
       fast-deep-equal: 3.1.3
       fast-json-stable-stringify: 2.1.0
       json-schema-traverse: 0.4.1
       uri-js: 4.4.1
 
-  ajv@8.17.1:
-    dependencies:
-      fast-deep-equal: 3.1.3
-      fast-uri: 3.1.2
-      json-schema-traverse: 1.0.0
-      require-from-string: 2.0.2
-
   ajv@8.18.0:
     dependencies:
       fast-deep-equal: 3.1.3
@@ -10969,7 +10962,7 @@ snapshots:
 
   boolbase@1.0.0: {}
 
-  brace-expansion@1.1.11:
+  brace-expansion@1.1.14:
     dependencies:
       balanced-match: 1.0.2
       concat-map: 0.0.1
@@ -11744,7 +11737,7 @@ snapshots:
       '@humanwhocodes/module-importer': 1.0.1
       '@nodelib/fs.walk': 1.2.8
       '@ungap/structured-clone': 1.3.0
-      ajv: 6.12.6
+      ajv: 6.15.0
       chalk: 4.1.2
       cross-spawn: 7.0.6
       debug: 4.4.0
@@ -12032,14 +12025,14 @@ snapshots:
       - acorn
       - supports-color
 
-  fumadocs-openapi@8.1.2(@scalar/api-client-react@1.2.7(@hyperjump/browser@1.2.0)(react@19.0.0)(tailwindcss@4.0.15)(typescript@5.8.2))(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(ajv@8.17.1)(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react-dom@19.0.0(react@19.0.0))(react@19.0.0)(tailwindcss@4.0.15):
+  fumadocs-openapi@8.1.2(@scalar/api-client-react@1.2.7(@hyperjump/browser@1.2.0)(react@19.0.0)(tailwindcss@4.0.15)(typescript@5.8.2))(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(ajv@8.18.0)(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react-dom@19.0.0(react@19.0.0))(react@19.0.0)(tailwindcss@4.0.15):
     dependencies:
       '@fumari/json-schema-to-typescript': 1.1.3
       '@radix-ui/react-dialog': 1.1.11(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
       '@radix-ui/react-select': 2.2.2(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
       '@radix-ui/react-slot': 1.2.0(@types/react@19.0.12)(react@19.0.0)
       '@scalar/openapi-parser': 0.10.16
-      ajv-draft-04: 1.0.0(ajv@8.17.1)
+      ajv-draft-04: 1.0.0(ajv@8.18.0)
       class-variance-authority: 0.7.1
       fast-glob: 3.3.3
       fumadocs-core: 15.2.11(@types/react@19.0.12)(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
@@ -13502,7 +13495,7 @@ snapshots:
 
   minimatch@3.1.5:
     dependencies:
-      brace-expansion: 1.1.11
+      brace-expansion: 1.1.14
 
   minimatch@9.0.9:
     dependencies:
@@ -14405,8 +14398,8 @@ snapshots:
   schema-utils@3.3.0:
     dependencies:
       '@types/json-schema': 7.0.15
-      ajv: 6.12.6
-      ajv-keywords: 3.5.2(ajv@6.12.6)
+      ajv: 6.15.0
+      ajv-keywords: 3.5.2(ajv@6.15.0)
 
   schema-utils@4.3.2:
     dependencies: