ajv-validator / ajv

The fastest JSON schema Validator. Supports JSON Schema draft-04/06/07/2019-09/2020-12 and JSON Type Definition (RFC8927)
https://ajv.js.org
MIT License
13.87k stars 877 forks source link

Replace `uri-js` abandoned dependency #2486

Closed xavierraffin closed 3 months ago

xavierraffin commented 3 months ago

This is not exactly an installation issue but it may become one.

The uri-js package is unmaintained and abandoned: https://github.com/garycourt/uri-js/issues/96 This is also a kown security issue: https://github.com/ajv-validator/ajv/issues/1978

This dependency should be replaced (maybe with https://github.com/andreinwald/uri-js-replace or maybe with something else).

The version of Ajv you are using

6.12.6

Operating system and node.js version

Reproduce on Linux, MacOS and Windows

Package manager and its version

npm@10.8.2

Link to (or contents of) package.json

uri-js:4.4.1 https://github.com/ajv-validator/ajv/blob/f06766f33ed7291f84c19f22a1286a34475fbdaf/package.json#L108

Error messages

Warning message at runtime (will break with future node versions):

(node:81876) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
jasoniangreen commented 3 months ago

Ah yes, interesting point. We recently moved over the actual default uri lib to fast-uri but there was always tests for both of them in the repo. Right now the old uri-js is not being used by default, but it is in the repo. I will have a look at removing it, I don't think it adds much value anymore.

Oh and I see you are using AJV 6.12.6? If you update to the latest you'll find we've changed it to fast-uri.

HowieG commented 3 months ago

@jasoniangreen thanks for clarifying! eslint is pinned to ajv@6.12.6 and it seems it was decided not to upgrade to v8. However there's this chore and this PR either of which would replace uri-js with fast-uri. Just FYI if people report the DeprecationWarning from eslint

jasoniangreen commented 3 months ago

Thanks for the extra context @HowieG - So if this is specifically due to eslint using an old version of AJV then I will close this ticket as there's not much to be done. If, however, we are finding that even having uri-js as a DEV dependency is causing problems, then please let me know and I will reopen.