fix(aws-cdk-lib): upgrade version of ajv that triggers CVE scanners

[rix0rrr]

Upgrade ajv to 8.18.0, which is version that is not vulnerable to a ReDoS attack anymore.

Note that CDK never had an actual vulnerability in the first place because the input was not attacker-controlled, but CVE scanners will flag this finding regardless.

This overrides the package in our repository, the dependency that gets installed at build time is bundled into the final aws-cdk-lib tarball.

Closes #36989

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[Abogical]

There is a build error related to ajv: https://github.com/aws/aws-cdk/actions/runs/22144520835/job/64017685124?pr=37022#step:9:578

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[jumic]

FYI - in case it is helpful: This error seams to be related to ajv upgrade from v6 to v8:
NOT SUPPORTED: option missingRefs. Pass empty schema with $id that should be ignored to ajv.addSchema.
See changelog, search for missingRefs.

In ajv there is a PR to fix this vulnerability also in v6. Maybe this helps to fix the issue in CDK as well (after a new v6 version is published).

[rix0rrr]

We didn't actually need an override, the dependency of table -> ajv was a ^ so a simple refreshing of the lockfile was sufficient.

Your "change requested" was that the build doesn't pass. It passes now.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

Rule: default-squash

---

• ✅ Entered queue — 2026-02-19 14:23 UTC
• ✅ Checks passed · in-place
• ✅ Merged — 2026-02-19 14:54 UTC · at 9677ef39df220964a29e59a9818552073116dabe

This pull request spent 31 minutes 22 seconds in the queue, including 31 minutes 11 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • fix(aws-cdk-lib): upgrade version of ajv that triggers CVE scanners #37022
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • fix(aws-cdk-lib): upgrade version of ajv that triggers CVE scanners #37022
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.