Skip to content

[rushstack] ajv must bump to 8.18.0 to address CVE #5647

New issue
New issue
Open
#5649
Open
[rushstack] ajv must bump to 8.18.0 to address CVE#5647
#5649
Assignees
dmichon-msftcopilot-swe-agent
@cmalonzo

Description

@cmalonzo
cmalonzo
opened on Feb 19, 2026

Summary

various rushstack projects have a vulnerable version of ajv. We need to bump the version of ajv anywhere to 8.18.0
ajv has ReDoS when using $data option
GHSA-2g4f-4pwh-qvx6

Impacted projects include:

  • @rushstack/eslint-config
  • @rushstack/eslint-plugin
  • @rushstack/eslint-plugin-packlets
  • @rushstack/eslint-plugin-security
  • @rushstack/node-core-library
  • @rushstack/heft
  • @rushstack/node-core-library
  • @rushstack/set-webpack-public-path-plugin
  • @rushstack/terminal
  • @rushstack/webpack5-localization-plugin
  • @rushstack/ts-command-line
  • @rushstack/heft-sass-plugin
  • @rushstack/typings-generator
  • @rushstack/debug-certificate-manager
  • @rushstack/heft-dev-cert-plugin
  • @rushstack/heft-webpack5-plugin

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

Bug Triage

Status

Needs triage

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions