Ajv versions 4.11.8 and 4.11.7 are incremental updates to a popular JSON schema validator for Node.js and browsers. Both versions, maintained by Evgeny Poberezkin, share the same core dependencies, including "co" for asynchronous control flow and "json-stable-stringify" for consistent JSON serialization. They also utilize an identical suite of development dependencies aimed at ensuring code quality, maintainability, and compatibility across various environments. These tools cover linting (eslint, jshint), testing (mocha, karma, chai, json-schema-test), code coverage (nyc, coveralls), browser compatibility (browserify, phantomjs-prebuilt, karma-chrome-launcher), and build processes (uglify-js, del-cli).
The key difference lies in the release date. Version 4.11.8 was published on April 28, 2017, subsequent to version 4.11.7's release on April 17, 2017. While precise details of the changes between these minor versions aren't explicitly provided, developers can infer that 4.11.8 likely includes bug fixes, minor enhancements, or dependency updates addressing issues discovered in 4.11.7. For developers using Ajv, upgrading to the newest 4.11.8 would typically be recommended to benefit from the latest improvements and potential security patches. When considering incorporating Ajv into a project, developers should evaluate functionalities for JSON schema validation, data type checking, and schema reusability from the documentation.
All the vulnerabilities related to the version 4.11.8 of the package
Prototype Pollution in Ajv
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
