From dd8a092b0191e85849cf7c091cae981ded75f9d1 Mon Sep 17 00:00:00 2001
From: CloudQuery Bot <102256036+cq-bot@users.noreply.github.com>
Date: Wed, 18 Feb 2026 06:05:40 +0000
Subject: [PATCH 1/2] fix(deps): Update dependency ajv to v8.18.0 [SECURITY]
 (#346)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ajv](https://ajv.js.org) ([source](https://redirect.github.com/ajv-validator/ajv)) | dependencies | minor | [`8.17.1` -> `8.18.0`](https://renovatebot.com/diffs/npm/ajv/8.17.1/8.18.0) |

### GitHub Vulnerability Alerts

#### [CVE-2025-69873](https://nvd.nist.gov/vuln/detail/CVE-2025-69873)

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\"^(a|a)*$\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation.

---

### Release Notes

<details>
<summary>ajv-validator/ajv (ajv)</summary>

### [`v8.18.0`](https://redirect.github.com/ajv-validator/ajv/releases/tag/v8.18.0)

[Compare Source](https://redirect.github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0)

#### What's Changed

-   feat: allow tree-shaking by adding `"sideEffects": false` to `package.json` by [@&#8203;josdejong](https://redirect.github.com/josdejong) in [https://github.com/ajv-validator/ajv/pull/2480](https://redirect.github.com/ajv-validator/ajv/pull/2480)
-   fix: [#&#8203;2482](https://redirect.github.com/ajv-validator/ajv/issues/2482) Infinity and NaN serialise to null by [@&#8203;jasoniangreen](https://redirect.github.com/jasoniangreen) in [https://github.com/ajv-validator/ajv/pull/2487](https://redirect.github.com/ajv-validator/ajv/pull/2487)
-   fix: small grammatical error in managing-schemas.md by [@&#8203;monteiro-renato](https://redirect.github.com/monteiro-renato) in [https://github.com/ajv-validator/ajv/pull/2508](https://redirect.github.com/ajv-validator/ajv/pull/2508)
-   fix: typos in schema-language.md by [@&#8203;monteiro-renato](https://redirect.github.com/monteiro-renato) in [https://github.com/ajv-validator/ajv/pull/2507](https://redirect.github.com/ajv-validator/ajv/pull/2507)
-   fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by [@&#8203;epoberezkin](https://redirect.github.com/epoberezkin) in [https://github.com/ajv-validator/ajv/pull/2586](https://redirect.github.com/ajv-validator/ajv/pull/2586)

#### New Contributors

-   [@&#8203;josdejong](https://redirect.github.com/josdejong) made their first contribution in [https://github.com/ajv-validator/ajv/pull/2480](https://redirect.github.com/ajv-validator/ajv/pull/2480)
-   [@&#8203;monteiro-renato](https://redirect.github.com/monteiro-renato) made their first contribution in [https://github.com/ajv-validator/ajv/pull/2508](https://redirect.github.com/ajv-validator/ajv/pull/2508)

**Full Changelog**: https://github.com/ajv-validator/ajv/compare/v8.17.1...v8.18.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIiwic2VjdXJpdHkiXX0=-->
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5b2bbff..3753567 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1307,9 +1307,9 @@
       }
     },
     "node_modules/ajv": {
-      "version": "8.17.1",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
-      "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
+      "version": "8.18.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
+      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",

From 47de2b999fb6d3902348b644373c83f04babe87d Mon Sep 17 00:00:00 2001
From: CloudQuery Bot <102256036+cq-bot@users.noreply.github.com>
Date: Wed, 18 Feb 2026 11:48:16 +0000
Subject: [PATCH 2/2] chore(main): Release v0.1.33 (#347)

:robot: I have created a release *beep* *boop*
---


## [0.1.33](https://github.com/cloudquery/plugin-sdk-javascript/compare/v0.1.32...v0.1.33) (2026-02-18)


### Bug Fixes

* **deps:** Update dependency ajv to v8.18.0 [SECURITY] ([#346](https://github.com/cloudquery/plugin-sdk-javascript/issues/346)) ([dd8a092](https://github.com/cloudquery/plugin-sdk-javascript/commit/dd8a092b0191e85849cf7c091cae981ded75f9d1))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
---
 .release-please-manifest.json | 2 +-
 CHANGELOG.md                  | 7 +++++++
 package-lock.json             | 4 ++--
 package.json                  | 2 +-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index dd32f2b..b4f0aee 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.1.32"
+  ".": "0.1.33"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6324170..b349a11 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.1.33](https://github.com/cloudquery/plugin-sdk-javascript/compare/v0.1.32...v0.1.33) (2026-02-18)
+
+
+### Bug Fixes
+
+* **deps:** Update dependency ajv to v8.18.0 [SECURITY] ([#346](https://github.com/cloudquery/plugin-sdk-javascript/issues/346)) ([dd8a092](https://github.com/cloudquery/plugin-sdk-javascript/commit/dd8a092b0191e85849cf7c091cae981ded75f9d1))
+
 ## [0.1.32](https://github.com/cloudquery/plugin-sdk-javascript/compare/v0.1.31...v0.1.32) (2026-02-02)
 
 
diff --git a/package-lock.json b/package-lock.json
index 3753567..ea957a1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@cloudquery/plugin-sdk-javascript",
-  "version": "0.1.32",
+  "version": "0.1.33",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@cloudquery/plugin-sdk-javascript",
-      "version": "0.1.32",
+      "version": "0.1.33",
       "license": "MPL-2.0",
       "dependencies": {
         "@apache-arrow/esnext-esm": "^21.0.0",
diff --git a/package.json b/package.json
index 8ca9304..18e4d8b 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cloudquery/plugin-sdk-javascript",
-  "version": "0.1.32",
+  "version": "0.1.33",
   "files": [
     "dist",
     "!dist/**/*.test.*",