Ajv is a popular and performant JSON schema validator for Node.js and browsers, offering robust data validation capabilities. Comparing versions 5.5.1 and 5.5.2 reveals subtle yet potentially impactful changes for developers. Both versions share core dependencies like "co", "fast-deep-equal", "json-schema-traverse", and “fast-json-stable-stringify," ensuring consistent handling of asynchronous operations, deep object comparison, schema traversal, and stable stringification.
The key difference lies in the development dependencies ("devDependencies"). Version 5.5.2 upgrades "typescript" from version 2.0.3 to 2.6.2. This signifies an enhanced focus on TypeScript support, potentially offering better type definitions and integration for developers using TypeScript in their projects. A library used in testing and for generating valid html files was bump from version "1.3.0" to "2.0.0" . Also, the regenerator dependency was bumped up. The release date difference indicates a relatively short interval between the two versions, suggesting a focused effort on refinement and improvement, the newer version being released on 2017-12-16, and the prior version on 2017-12-02. This suggests that users seeking the latest TypeScript compatibility and potential bug fixes or performance enhancements should opt for version 5.5.2. Developers not utilizing TypeScript or those experiencing no issues with version 5.5.1 might find the update less critical but should still consider it for long-term maintainability and access to the most recent improvements.
All the vulnerabilities related to the version 5.5.2 of the package
Prototype Pollution in Ajv
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
