Summary
While upgrading a SharePoint Framework (SPFx) 1.23.0 solution, I observed that @microsoft/sp-module-interfaces@1.23.0 depends on @rushstack/node-core-library@5.20.3.
@rushstack/node-core-library@5.20.3 currently depends on ajv@~8.18.0, which resolves the transitive dependency fast-uri@3.1.2. This version of fast-uri is reported as vulnerable by dependency security scanners.
Would it be possible to update the ajv dependency in @rushstack/node-core-library to a newer compatible version so that consumers resolve a non-vulnerable version of fast-uri?
Repro steps
- Install an SPFx 1.23.0 solution.
- Run a dependency vulnerability scan (for example, Snyk or pnpm audit).
- Observe the following dependency chain:
@microsoft/sp-module-interfaces@1.23.0 → @rushstack/node-core-library@5.20.3 → ajv@8.18.0 → fast-uri@3.1.2
Expected result:
The dependency tree resolves to a non-vulnerable version of fast-uri, eliminating the need for consumers to maintain manual dependency overrides.
I’ve attached below Snyk vulnerability report showing the dependency path and the affected package versions.

Summary
While upgrading a SharePoint Framework (SPFx) 1.23.0 solution, I observed that @microsoft/sp-module-interfaces@1.23.0 depends on @rushstack/node-core-library@5.20.3.
@rushstack/node-core-library@5.20.3 currently depends on ajv@~8.18.0, which resolves the transitive dependency fast-uri@3.1.2. This version of fast-uri is reported as vulnerable by dependency security scanners.
Would it be possible to update the ajv dependency in @rushstack/node-core-library to a newer compatible version so that consumers resolve a non-vulnerable version of fast-uri?
Repro steps
@microsoft/sp-module-interfaces@1.23.0 → @rushstack/node-core-library@5.20.3 → ajv@8.18.0 → fast-uri@3.1.2
Expected result:
The dependency tree resolves to a non-vulnerable version of fast-uri, eliminating the need for consumers to maintain manual dependency overrides.
I’ve attached below Snyk vulnerability report showing the dependency path and the affected package versions.