Resolve Ajv Prototype Pollution Vulnerability

[Jadhielv]

The Dependabot alert for prototype pollution in ajv was addressed by using npm overrides in the kctest-frontend project.

The fix involved:

1. Adding an override for extract-text-webpack-plugin to use ajv@^6.12.6, replacing the vulnerable 5.5.2 version.
2. Maintaining ajv@^8.17.1 for packages that require it (like ajv-formats, ajv-keywords, and webpack 5) to avoid breaking changes.
3. Ensuring eslint continues to use safe version 6.12.6 and its associated tmp security fix.
4. Regenerating the package-lock.json to reflect these changes across the dependency tree.

Verification:

• npm list ajv confirms no version below 6.12.3 remains.
• npm run unit passes.
• npm run lint works as expected.
• npm run build fails with the same pre-existing Webpack 5 configuration error, confirming no new regressions in the build pipeline.

---

PR created automatically by Jules for task 13167139283019002996 started by @Jadhielv

Summary by CodeRabbit

• Chores
  • Updated package dependency version constraints to ensure compatibility and stability.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

The pull request adds a dependency override entry for extract-text-webpack-plugin in kctest-frontend/package.json, pinning the ajv package to version ^6.12.6. This expands the existing overrides configuration without modifying other entries.

Changes

Cohort / File(s)	Summary
Dependency Override Configuration kctest-frontend/package.json	Added override for extract-text-webpack-plugin to pin ajv dependency to ^6.12.6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Resolve Ajv and PostCSS security vulnerabilities via overrides #730: Modifies the same kctest-frontend/package.json overrides configuration to pin ajv version dependencies, including extract-text-webpack-plugin handling.

Poem

🐰 A version pinned tight, oh what a sight!
Where ajv meets webpack in override delight,
Dependencies dance, no more to fight,
The rabbit hops happy, the build runs just right! ✨

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/ajv-prototype-pollution-13167139283019002996

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}