Skip to content

chore: Bump valibot to 1.4.0 in js/examples/ai-sdk/next-openai-app#1988

Merged
Luca Forstner (lforst) merged 1 commit into
mainfrom
fix/valibot-redos-cve-2025-66020
May 13, 2026
Merged

chore: Bump valibot to 1.4.0 in js/examples/ai-sdk/next-openai-app#1988
Luca Forstner (lforst) merged 1 commit into
mainfrom
fix/valibot-redos-cve-2025-66020

Conversation

@AbhiPrasad
Copy link
Copy Markdown
Member

@AbhiPrasad Abhijeet Prasad (AbhiPrasad) commented May 12, 2026

Summary

  • Bumps valibot from 1.1.01.4.0 in js/examples/ai-sdk/next-openai-app to patch GHSA-vqpr-j7v3-hqw9 (CVE-2025-66020), a ReDoS in EMOJI_REGEX.
  • Patched version is >= 1.2.0; chose 1.4.0 (latest) to also satisfy the ^1.3.0 peer dep declared by @valibot/to-json-schema@1.6.0.
  • Regenerated pnpm-lock.yaml — all references to valibot@1.1.0 now resolve to valibot@1.4.0. This is the only place in the repo that depends on valibot.

Test plan

@AbhiPrasad @claude
fix: Bump valibot to 1.4.0 to patch ReDoS (GHSA-vqpr-j7v3-hqw9)
6ece904 
Valibot < 1.2.0 has a ReDoS vulnerability in EMOJI_REGEX. Bump to 1.4.0
in js/examples/ai-sdk/next-openai-app, which also aligns with the
^1.3.0 peer dep from @valibot/to-json-schema@1.6.0.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@AbhiPrasad Abhijeet Prasad (AbhiPrasad) changed the title fix: Bump valibot to 1.4.0 to patch ReDoS (GHSA-vqpr-j7v3-hqw9) chore: Bump valibot to 1.4.0 in js/examples/ai-sdk/next-openai-app May 12, 2026
@lforst Luca Forstner (lforst) merged commit 260efdc into main May 13, 2026
47 of 50 checks passed
@lforst Luca Forstner (lforst) deleted the fix/valibot-redos-cve-2025-66020 branch May 13, 2026 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lforst Luca Forstner (lforst) lforst approved these changes

Assignees

No one assigned

Labels

skip-changeset

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AbhiPrasad @lforst