Skip to content

Update ajv dependency in @rushstack/node-core-library to resolve vulnerable fast-uri transitive dependency #5860

Description

@shirishmawande

Summary

While upgrading a SharePoint Framework (SPFx) 1.23.0 solution, I observed that @microsoft/sp-module-interfaces@1.23.0 depends on @rushstack/node-core-library@5.20.3.

@rushstack/node-core-library@5.20.3 currently depends on ajv@~8.18.0, which resolves the transitive dependency fast-uri@3.1.2. This version of fast-uri is reported as vulnerable by dependency security scanners.

Would it be possible to update the ajv dependency in @rushstack/node-core-library to a newer compatible version so that consumers resolve a non-vulnerable version of fast-uri?

Repro steps

  1. Install an SPFx 1.23.0 solution.
  2. Run a dependency vulnerability scan (for example, Snyk or pnpm audit).
  3. Observe the following dependency chain:

@microsoft/sp-module-interfaces@1.23.0 → @rushstack/node-core-library@5.20.3 → ajv@8.18.0 → fast-uri@3.1.2

Expected result:

The dependency tree resolves to a non-vulnerable version of fast-uri, eliminating the need for consumers to maintain manual dependency overrides.

I’ve attached below Snyk vulnerability report showing the dependency path and the affected package versions.

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Needs triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions