fix: security update

middyjs · Nov 3, 2024 · 0a668ae · 0a668ae
1 parent 4834c17
commit 0a668ae
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/packages/validator/transpile.js b/packages/validator/transpile.js
@@ -55,7 +55,7 @@ const compileSchema = (schema, options = {}) => {
 const ajvDefaults = {
   strict: true,
   coerceTypes: 'array', // important for query string params
-  allErrors: true,
+  allErrors: false, // As per AJV security guidance
   useDefaults: 'empty',
   messages: true // needs to be true to allow multi-locale errorMessage to work
 }

diff --git a/website/docs/middlewares/validator.md b/website/docs/middlewares/validator.md
@@ -55,7 +55,7 @@ Transpile JSON-Schema in to JavaScript. Default ajv plugins used: `ajv-i18n`, `a
 
 - `schema` (object) (required): JSON-Schema object
 - `ajvOptions` (object) (default `undefined`): Options to pass to [ajv](https://ajv.js.org/docs/api.html#options)
-  class constructor. Defaults are `{ strict: true, coerceTypes: 'array', allErrors: true, useDefaults: 'empty', messages: true }`.
+  class constructor. Defaults are `{ strict: true, coerceTypes: 'array', allErrors: false, useDefaults: 'empty', messages: true }`.
 
 ## transpileLocale
 

diff --git a/website/docs/upgrade/5-6.md b/website/docs/upgrade/5-6.md
@@ -135,7 +135,7 @@ No change
 
 ### [validator](/docs/middlewares/validator)
 
-No change
+- Remove `allErrors:true` from default options.
 
 ### [warmup](/docs/middlewares/warmup)