fix(deps): override ajv@8.18.0 (CVE-2025-69873)#4438
fix(deps): override ajv@8.18.0 (CVE-2025-69873)#4438ScriptedAlchemy merged 14 commits intomodule-federation:mainfrom
Conversation
✅ Deploy Preview for module-federation-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
🦋 Changeset detectedLatest commit: 0d62954 The changes in this PR will be included in the next version bump. This PR includes changesets to release 43 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 033a5cb188
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This pull request removes the direct schema-utils dependency from @module-federation/enhanced to eliminate the vulnerable schema-utils -> ajv@8.17.1 dependency path flagged for CVE-2025-69873. Since an upstream patched AJV release is not yet available, this PR takes a mitigation approach by removing the dependency entirely and implementing custom error formatting using the generated schema checker's error information.
Changes:
- Removed
schema-utilsdependency from package.json and pnpm-lock.yaml - Replaced the
getValidate()fallback mechanism with direct error formatting from generated schema check functions - Added custom error formatting logic (
formatCheckError) that processes AJV error objects from compiled validators
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/enhanced/package.json | Removed schema-utils from dependencies array |
| pnpm-lock.yaml | Removed schema-utils entry from lockfile for enhanced package |
| packages/enhanced/src/utils.ts | Replaced schema-utils validation with custom error formatter using generated checker errors |
| .changeset/fresh-hounds-fly.md | Added patch changeset documenting the removal |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Bundle Size ReportNo bundle size changes detected. Total dist: 6.87 MB (no change) |
|
@Nsttt please try passing invalid options after running generate schema command in monrepo root, try passing invalid option to pugin and ensure it sitll throws errors properly. |
Just did. pnpm run generate:schema (ok; regenerated 7 schema/check files) Then exercised invalid options against the built plugin: const { default: ModuleFederationPlugin } =
require('./packages/enhanced/dist/src/lib/container/ModuleFederationPlugin');
try { new ModuleFederationPlugin({ name: 123 }); } catch (e) {
// name: ValidationError
// message starts:
// "Module Federation Plugin: Invalid options object."
// "- options: {\"type\":\"string\"}"
}Also confirmed the “missing name” case still errors (it’s enforced in apply, not constructor/schema): const p = new ModuleFederationPlugin({});
p.apply({}); // throws Error("ModuleFederationPlugin name is required")So: generated checkers still run, and invalid options still throw with error details. |
|
Ajv fix for CVE-2025-69873 is released in 8.18.0. Big thank you to @KsAkira10 and @mcollina for their help resolving the issue. @EthanKim88 - disclosuing without contacting @tidelift or myself first is irresponsible, it creating some real damage and stress for many people and organizations. This is not what real security researchers do. It's necessary to disclose if not fixed in 90 days, even 30 days is ok in some cases, but publishing it without talking to anyone first is reckless and unethical. @mitre must really push back against assigning CVE numbers to vulnerabilities disclosed irresponsibly and broadcasting them to the whole internet, before giving code maintainers a chance to fix. That highlights real damage cybercriminals and script kiddies equipped with LLMs can do via adversarial analysis of opensource code. I kicked off a small side project CodeWatch addressing this problem about 2 week ago, as an experiment, and will aim to make it stable next week. It's a bit rough at the moment, but let me know if you want to experiment or help improve it - feel free to reach out via SimpleX. |
|
Addressed P1 review note: restored the original |
|
Follow-up: after addressing the regression concern, the PR is now dependency-only (no behavioral changes) and focuses on pinning |
|
Amazing, thenks man. will merge. Feel little better about it now that it just dep bump. |
Me too, now checking. |
|
@cursoragent instead of package overrides globally, could we use packageExtentions in pnpm to just target this specific package that has the issue a make it use the non CVE dependency? Just comment back here after research |
@module-federation/devtools
@module-federation/cli
create-module-federation
@module-federation/data-prefetch
@module-federation/dts-plugin
@module-federation/enhanced
@module-federation/error-codes
@module-federation/managers
@module-federation/manifest
@module-federation/metro
@module-federation/metro-plugin-rnc-cli
@module-federation/metro-plugin-rnef
@module-federation/modern-js-v3
@module-federation/retry-plugin
@module-federation/rsbuild-plugin
@module-federation/rspack
@module-federation/rspress-plugin
@module-federation/runtime
@module-federation/runtime-core
@module-federation/runtime-tools
@module-federation/sdk
@module-federation/third-party-dts-extractor
@module-federation/treeshake-frontend
@module-federation/treeshake-server
@module-federation/webpack-bundler-runtime
@module-federation/bridge-react
@module-federation/bridge-react-webpack-plugin
@module-federation/bridge-shared
@module-federation/bridge-vue3
@module-federation/inject-external-runtime-core-plugin
commit: |
…path' into fix/cve-2025-69873-enhanced-ajv-path
Summary
CVE-2025-69873by forcing a patched AJV version viapnpm.overrides@module-federation/enhancedbehavior (including theschema-utils.validate(getSchema(), ...)fallback path when precompiled checks fail)CVE Context
CVE-2025-69873ajv-validator / ajvCWE-1333 (ReDoS)<= 8.17.1when$data: trueis enabledajv@8.18.0schema-utils@4.3.3depends onajv@^8.9.0and configures Ajv with$data: true, so pinning AJV to8.18.0removes the vulnerable AJV version from this repo's lockfile / dependency tree.Changes
package.json:pnpm.overrides.ajv = 8.18.0packages/enhanced/package.json: bump devajvto^8.18.0(alignment)pnpm-lock.yaml: refresh toajv@8.18.0Verification
pnpm installNX_DAEMON=false pnpm run generate:schemaNX_DAEMON=false pnpm nx run enhanced:buildValidationErrorviaschema-utils(e.g.name: 123)pnpm exec tsc -p packages/enhanced/tsconfig.json --noEmitNODE_OPTIONS="--experimental-vm-modules" npx rstest -c packages/enhanced/rstest.config.ts --project unit