chore(deps): update dependency valibot to v1.2.0 [security]#7231
Merged
chore(deps): update dependency valibot to v1.2.0 [security]#7231
Conversation
Contributor
Author
|
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
Contributor
How to use the Graphite Merge QueueAdd the label graphite: merge to this PR to add it to the merge queue. You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. |
✅ Deploy Preview for rolldown-rs canceled.
|
This was referenced Dec 3, 2025
shulaoda
added a commit
that referenced
this pull request
Dec 3, 2025
## [1.0.0-beta.53] - 2025-12-03 💥 Breaking Changes - Drop `i686-pc-windows-msvc` target support 🚀 Chunk Merging Optimization - Rolldown now automatically merges shared chunks when entries import each other (when `preserveEntrySignature` is not `strict`) ```shell Before: entry.js → imports → shared.js (common chunk) entry2.js → imports → shared.js Output: 3 chunks (entry.js, entry2.js, shared.js) After: entry.js → contains shared code entry2.js → imports → entry.js Output: 2 chunks (entry.js, entry2.js) ``` ### 💥 BREAKING CHANGES - drop `i686-pc-windows-msvc` target support (#7230) by @sapphi-red ### 🚀 Features - rolldown_plugin_vite_manifest: pass normalized options to `isLegacy` callback (#7321) by @shulaoda - plugin/vite-resolve: add `disableCache` option (#6763) by @sapphi-red - rolldown: export `createTokioRuntime` for tsdown (#7264) by @shulaoda - rolldown_plugin_vite_html: sync `moduleSideEffects` for already loaded modules (#7254) by @shulaoda - rolldown_plugin_vite_html: load module scripts with side effects to prevent tree-shaking (#7244) by @shulaoda - rolldown_plugin_vite_css_post: implement `cssScopeTo` for scoped CSS tree-shaking (#7240) by @shulaoda ### 🐛 Bug Fixes - export default class decl __name runtime insertion (#7316) by @IWANABETHATGUY - chunk side effects calculation (#7273) by @IWANABETHATGUY - node: `output.generateCode.preset: 'es2015'` should set `output.generateCode.symbols: true` by default (#7314) by @sapphi-red - skip name helper for classes with static name property (#7312) by @IWANABETHATGUY - preserve chunk imports relationship after chunk merging (#7303) by @shulaoda - dev: make `register_modules` async (#7289) by @hyf0 - preserve computed property in object destructuring (#7288) by @IWANABETHATGUY - support dynamic imports with shared dependencies (#7261) by @IWANABETHATGUY - call `defer_sync_scan_data` in non-incremental build mode (#7255) by @shulaoda - optimize chunk merging for shared entry points (#7194) by @IWANABETHATGUY - add indentation for UMD format output (#7263) by @IWANABETHATGUY - rolldown_plugin_vite_css_post: pass options to `isLegacy` callback for proper legacy detection (#7260) by @shulaoda - rolldown_plugin_vite_css_post: also detect `?inline=true` query for inlined CSS (#7245) by @shulaoda - rolldown_plugin_vite_css_post: distinguish empty CSS from no CSS (#7241) by @shulaoda - add Windows support for t-run command (#7242) by @IWANABETHATGUY - cjs: prevent duplicate require declarations for external modules with preserveModules (#7234) by @logaretm - rolldown_plugin_vite_resolve: resolve from root for virtual modules (#7236) by @sapphi-red - include entry level external modules in chunk exports (#7218) by @IWANABETHATGUY ### 🚜 Refactor - dev: make `removeClient` async (#7313) by @hyf0 - move chunk merging code out of code_splitting.rs (#7285) by @IWANABETHATGUY - extract common function util for chunk merging (#7271) by @IWANABETHATGUY - use iterative method to merge chunks (#7256) by @IWANABETHATGUY - use concat_string! instead of string replace for generating chunk level exports (#7247) by @IWANABETHATGUY ### 📚 Documentation - add warning to experimental.resolveNewUrlToAsset about JS/TS files (#7300) by @Copilot - add sequential hook execution difference in plugin-api.md (#7308) by @Copilot - add migration example from onwarn to onLog (#7299) by @Copilot - add migration example for manualChunks to advancedChunks (#7298) by @Copilot - deps: bump vitepress to fix build (#7307) by @sapphi-red - examples & text for experimental.resolveNewUrlToAsset (#7259) by @TheAlexLichter ### ⚡ Performance - rolldown_plugin_vite_css_post: lazily load `cssScopeTo` from JS module options (#7253) by @shulaoda - rolldown_plugin_vite_css_post: avoid unnecessary string clones in `resolve_asset_urls_in_css` (#7250) by @shulaoda ### 🧪 Testing - generate relative path like name in advanced chunks (#7267) by @IWANABETHATGUY - add test case for preserveEntrySignatures with re-exports (#7279) by @IWANABETHATGUY - add test262 integration tests (#7196) by @sapphi-red ### ⚙️ Miscellaneous Tasks - deps: update dependency rolldown-plugin-dts to v0.18.1 (#7304) by @renovate[bot] - enable tracing feature for napi (#7322) by @sapphi-red - deps: update napi (#7320) by @renovate[bot] - deps: update oxc (#7318) by @renovate[bot] - deps: update napi (#7317) by @renovate[bot] - deps: update oxc to v0.100.0 (#7301) by @renovate[bot] - deps: downgrade pnpm to 10.23.0 to fix Netlify build (#7306) by @shulaoda - add `trustPolicyExclude` for chokidar and semver (#7302) by @sapphi-red - update pnpm lockfile (#7291) by @IWANABETHATGUY - deps: update npm packages (#7272) by @renovate[bot] - deps: update rust crates (#7270) by @renovate[bot] - deps: update oxc (#7262) by @renovate[bot] - deps: update github-actions (#7269) by @renovate[bot] - deps: update dependency dprint-typescript to v0.95.13 (#7268) by @renovate[bot] - deps: update `html5gum` to 0.8.1 (#7265) by @shulaoda - rolldown: remove unused `getModuleOptions` from `PluginContext` (#7266) by @shulaoda - remove unnecessary justfile ignore (#7243) by @IWANABETHATGUY - deps: update oxc apps (#7238) by @renovate[bot] - add `nul` to workaround https://github.com/anthropics/claude-c… (#7237) by @IWANABETHATGUY - deps: update dependency valibot to v1.2.0 [security] (#7231) by @renovate[bot] - deps: update crate-ci/typos action to v1.40.0 (#7232) by @renovate[bot] ### ❤️ New Contributors * @logaretm made their first contribution in [#7234](#7234) Co-authored-by: shulaoda <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.1.0->1.2.0GitHub Vulnerability Alerts
CVE-2025-66020
Summary
The
EMOJI_REGEXused in theemojiaction is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application.Details
The ReDoS vulnerability stems from "catastrophic backtracking" in the
EMOJI_REGEX. This is caused by ambiguity in the regex pattern due to overlapping character classes.Specifically, the class
\p{Emoji_Presentation}overlaps with more specific classes used in the same alternation, such as[\u{1F1E6}-\u{1F1FF}](regional indicator symbols used for flags) and\p{Emoji_Modifier_Base}.When the regex engine attempts to match a string that almost matches but ultimately fails (like the one in the PoC), this ambiguity forces it to explore an exponential number of possible paths. The matching time increases exponentially with the length of the crafted input, rather than linearly.
PoC
The following code demonstrates the vulnerability.
Impact
Any project using Valibot's
emojivalidation on user-controllable input is vulnerable to a Denial of Service attack.An attacker can block server resources (e.g., a web server's event loop) by submitting a short string to any endpoint that uses this validation. This is particularly dangerous because the attack string is short enough to bypass typical input length restrictions (e.g., maxLength(100)).
Recommended Fix
The root cause is the overlapping character classes. This can be resolved by making the alternatives mutually exclusive, typically by using negative lookaheads (
(?!...)) to subtract the specific classes from the more general one.The following modified
EMOJI_REGEXapplies this principle:Release Notes
open-circle/valibot (valibot)
v1.2.0Compare Source
Many thanks to @EskiMojo14, @makenowjust, @ysknsid25 and @jacekwilczynski for contributing to this release.
toBigint,toBoolean,toDate,toNumberandtoStringtransformation actions (pull request #1212)examplesaction to add example values to a schema (pull request #1199)getExamplesmethod to extract example values from a schema (pull request #1199)isbnvalidation action to validate ISBN-10 and ISBN-13 strings (pull request #1097)RawCheckAddIssue,RawCheckContext,RawCheckIssueInfo,RawTransformAddIssue,RawTransformContextandRawTransformIssueInfotypes for better developer experience withrawCheckandrawTransformactions (pull request #1359)EMOJI_REGEXused byemojiactionConfiguration
📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.