Security Vulnerability: ajv (JSON Schema Validator)

[arthfael-breanainn]

Security Vulnerability: ajv (JSON Schema Validator)

Summary

My CI/CD pipeline (Sysdig image scan) is failing due to a High severity security vulnerability detected in the ajv package (JSON Schema Validator). This is blocking all deployments.

Details

The Sysdig scanner identified one vulnerable version of ajv in the API Docker image:

Component	Current Version	Fixed Version	Severity
ajv	8.13.0	8.18.0	High

This version fails the Sysdig Best Practices policy (1 failure), causing the job to exit with code 1.

Root Cause

ajv is a transitive dependency — it is not directly declared in our package.json. It is pulled in through the following dependency chain:

• ajv@8.13.0 ← umzug → @rushstack/ts-command-line → @rushstack/terminal → @rushstack/node-core-library → ajv

[amirrossert]

Having the same issue

[claabs]

FYI, this fix will require upgrading @rushstack/ts-command-line from v4 to v5, which is why npm audit fix can't automatically fix this.

Here is the v5 changelog.