chore(deps): bump joi from 17.13.3 to 18.1.2#11988
Merged
Merged
Conversation
Bumps [joi](https://github.com/hapijs/joi) from 17.13.3 to 18.1.2. - [Commits](hapijs/joi@v17.13.3...v18.1.2) --- updated-dependencies: - dependency-name: joi dependency-version: 18.1.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
pr: dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
✅ [V2]
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Size Change: 0 B Total Size: 12 MB ℹ️ View Unchanged
|
⚡️ Lighthouse report for the deploy preview of this PR
|
|
Size Change: 0 B Total Size: 12.5 MB ℹ️ View Unchanged
|
slorber
added
the
pr: breaking change
Contributor
|
Could you reflect this in a stable version in 3.x? |
Collaborator
|
I'd rather not to, the next minor/major release is v4 and v3.10.x will only have bug fix patches. Here although I think it's compatible, it remains a major version bump and I'd prefer not do that in a patch release |
Contributor
|
I'm afraid I find it regrettable you chose not to ship this in v3. Users became concerned that GHSA-q7cg-457f-vx79 might negatively impact their sites. |
mbouaziz
added a commit
to SkipLabs/skip
that referenced
this pull request
Jun 12, 2026
## Summary Fixes Dependabot alert [#320](https://github.com/SkipLabs/skip/security/dependabot/320) — [GHSA-q7cg-457f-vx79](GHSA-q7cg-457f-vx79) (medium: joi has an uncaught RangeError on deeply nested input through recursive `Joi.link()` schemas, patched in 18.2.1). joi@17.13.3 is a build-time-only transitive dep pulled into [www/](www/) by `@docusaurus/types@^17.9.2` and `@docusaurus/utils-validation@^17.9.2`. Patching requires a major version bump (17 → 18) — outside the parents' caret range — so a straight `npm update` can't reach it. ## Approach Adds `joi: "^18.2.1"` to the existing `overrides` block in [www/package.json](www/package.json). Resolves to **18.2.1** in the lockfile (the patched version). Adds a top-level `"//"` comment explaining the override so it can be removed cleanly once Docusaurus stable adopts joi^18. ## Why an override is safe here - **Upstream-validated compatibility**: [facebook/docusaurus PR #11988](facebook/docusaurus#11988) merged the joi 17 → 18.1.2 bump into `main` on 2026-05-09. Docusaurus's own plugin-config validation works on joi 18.x; the bump just hasn't landed in a stable release yet (only canaries 3.10.1-canary-6603+). - **Vulnerable code path is unused**: the advisory needs recursive `Joi.link()` schemas on attacker-controlled input. Docusaurus's only `Joi.link()` reference is **commented out** at `@docusaurus/plugin-content-docs/lib/sidebars/validation.js:89`. joi runs only at `docusaurus build` time on committed config/MDX/sidebars — never on network input. - **Minimal joi 17 → 18 breaking changes**: the only real one is `engines.node >=20`, which is satisfied by `www/package.json`'s `"engines": { "node": ">=20" }`. No joi API used by docusaurus (`.object()`, `.string()`, `.extend()`, `.custom()`, …) was removed or had semantics changed. ## Verification - `npm install --package-lock-only` resolves `joi@18.2.1` (single entry; no nested copies). - `npm install` then `npm run build` in `www/` completes cleanly — server + client compile, og-image cards generated, static files produced in `build/`. ## Drop later Once a Docusaurus stable release (3.10.2 / 3.11 / …) ships with joi^18 in `dependencies`, this override becomes redundant. The `"//"` comment documents the trigger condition. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps joi from 17.13.3 to 18.1.2.
Commits
7d43b1218.1.2d98c802Merge pull request #3107 from mahmoodhamdi/fix/json-schema-number-rules7edc591fix: improve JSON Schema conversion for number.port() and number.sign()06afeb518.1.1407ed75chore: apply npm pkg fix4323588Merge pull request #3099 from poupounetjoyeux/master8607f5cMerge pull request #3103 from ordinary9843/fix/describe-nan-allow384c5cdMerge pull request #3097 from iamnivekx/feat/standard-validate-options3e6d6cd18.1.0b366678Merge pull request #3102 from hapijs/feat/standard-json-schemaDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)