chore(deps): update dependency valibot to v1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
valibot (source)	^0.42.0 -> ^1.0.0

GitHub Vulnerability Alerts

CVE-2025-66020

Summary

The EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application.

Details

The ReDoS vulnerability stems from "catastrophic backtracking" in the EMOJI_REGEX. This is caused by ambiguity in the regex pattern due to overlapping character classes.

Specifically, the class \p{Emoji_Presentation} overlaps with more specific classes used in the same alternation, such as [\u{1F1E6}-\u{1F1FF}] (regional indicator symbols used for flags) and \p{Emoji_Modifier_Base}.

When the regex engine attempts to match a string that almost matches but ultimately fails (like the one in the PoC), this ambiguity forces it to explore an exponential number of possible paths. The matching time increases exponentially with the length of the crafted input, rather than linearly.

PoC

The following code demonstrates the vulnerability.

import * as v from 'valibot';

const schema = v.object({
  x: v.pipe(v.string(), v.emoji()),
});

const attackString = '\u{1F1E6}'.repeat(49) + '0';

console.log(`Input length: ${attackString.length}`);
console.log('Starting parse... (This will take a long time)');

// On my machine, a length of 99 takes approximately 2 minutes.
console.time();
try {
  v.parse(schema, {x: attackString });
} catch (e) {}
console.timeEnd();

Impact

Any project using Valibot's emoji validation on user-controllable input is vulnerable to a Denial of Service attack.

An attacker can block server resources (e.g., a web server's event loop) by submitting a short string to any endpoint that uses this validation. This is particularly dangerous because the attack string is short enough to bypass typical input length restrictions (e.g., maxLength(100)).

Recommended Fix

The root cause is the overlapping character classes. This can be resolved by making the alternatives mutually exclusive, typically by using negative lookaheads ((?!...)) to subtract the specific classes from the more general one.

The following modified EMOJI_REGEX applies this principle:

export const EMOJI_REGEX: RegExp =
  // eslint-disable-next-line redos-detector/no-unsafe-regex, regexp/no-dupe-disjunctions -- false positives
  /^(?:[\u{1F1E6}-\u{1F1FF}]{2}|\u{1F3F4}[\u{E0061}-\u{E007A}]{2}[\u{E0030}-\u{E0039}\u{E0061}-\u{E007A}]{1,3}\u{E007F}|(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|(?![\p{Emoji_Modifier_Base}\u{1F1E6}-\u{1F1FF}])\p{Emoji_Presentation})(?:\u200D(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|(?![\p{Emoji_Modifier_Base}\u{1F1E6}-\u{1F1FF}])\p{Emoji_Presentation}))*)+$/u;

---

Release Notes

open-circle/valibot (valibot)

v1.2.0

Compare Source

Many thanks to @​EskiMojo14, @​makenowjust, @​ysknsid25 and @​jacekwilczynski for contributing to this release.

Read the release notes on our website for a quick overview of the most exciting new features in this release.

• Add toBigint, toBoolean, toDate, toNumber and toString transformation actions (pull request #​1212)
• Add examples action to add example values to a schema (pull request #​1199)
• Add getExamples method to extract example values from a schema (pull request #​1199)
• Add isbn validation action to validate ISBN-10 and ISBN-13 strings (pull request #​1097)
• Add exports for RawCheckAddIssue, RawCheckContext, RawCheckIssueInfo, RawTransformAddIssue, RawTransformContext and RawTransformIssueInfo types for better developer experience with rawCheck and rawTransform actions (pull request #​1359)
• Change build step to tsdown
• Fix ReDoS vulnerability in EMOJI_REGEX used by emoji action

v1.1.0

Compare Source

Many thanks to @​EltonLobo07, @​sacrosanctic, @​muningis, @​EskiMojo14, @​MOZGIII, @​vktrl and @​jasperteo for contributing to this release.

Read the release notes on our website for a quick overview of the most exciting new features in this release.

• Add message method to overwrite local error message configuration of a schema (pull request #​1103)
• Add summarize method to summarize issues into a pretty-printable multi-line string (pull request #​1158)
• Add getTitle, getDescription and getMetadata methods to extract metadata of a schema (pull request #​1154)
• Add minEntries and maxEntries validation action to validate number of object entries (pull request #​1100)
• Add entries and notEntries validation action to validate number of object entries (pull request #​1156)
• Add parseJson and stringifyJson transformation action to parse and stringify JSON (pull request #​1137)
• Add flavor transformation action to flavor the output type of a schema (pull request #​950)
• Add support for bigints to multipleOf validation action (pull request #​1164)
• Change implementation of variant and variantAsync schema to improve performance by aborting validation of discriminators early (pull request #​1110)
• Change name of NanoIDAction and NanoIDIssue interface to NanoIdAction and NanoIdIssue (pull request #​1171)
• Fix internal MarkOptional type to fix input and output type of objects in edge cases (issue #​1176)

v1.0.0

Compare Source

This is a summary of the changes between v0 and v1. Many thanks to everyone who contributed to this release.

• Add assert method to assert values (issue #​862)
• Add checkItemsAsync action (pull request #​856)
• Add graphemes, maxGraphemes, minGraphemes and notGraphemes action (pull request #​853)
• Add words, maxWords, minWords and notWords action
• Add args and returns action to transform functions (issue #​243)
• Add rfcEmail action to validate RFC 5322 email addresses (pull request #​912)
• Add gtValue and ltValue action for greater than and less than validation (pull request #​978, #​985)
• Add values and notValues action for easier multi-value validation (pull request #​919)
• Add slug action to validate URL slugs (pull request #​910)
• Add support for ReadonlyMap and ReadonlySet to readonly action (issue #​1059)
• Add entriesFromObjects util to improve tree shaking (pull request #​1023)
• Add new overload signature to pipe and pipeAync method to support unlimited pipe items of same input and output type (issue #​852)
• Add @__NO_SIDE_EFFECTS__ notation to improve tree shaking (pull request #​995)
• Add exactOptional and exactOptionalAsync schema (PR #​1013)
• Change types and implementation to support Standard Schema
• Change behaviour of minValue and maxValue for NaN (pull request #​843)
• Change type and behaviour of nullable, nullableAsync, nullish, nullishAsync, optional, optionalAsync, undefinedable and undefinedableAsync for undefined default value (issue #​878)
• Change type signature of partialCheck and partialCheckAsync action to add .pathList property in a type-safe way
• Change type signature of findItem action to support type predicates (issue #​867)
• Change validation of missing object entries in looseObject, looseObjectAsync, object, objectAsync, objectWithRest, objectWithRestAsync, strictObject and strictObject (PR #​1013)
• Change type signature of optional and optionalAsync when used within an object schema (PR #​1013)
• Change MarkOptional type to fix order of entries and TS error when using generic schemas (issue #​1021)
• Change VariantOption and VariantOptionAsync type to fix TS error when using generic schemas (issue #​842)
• Change implementation of variant and variantAsync to support optional discriminators using exactOptional, exactOptionalAsync, optional, optionalAsync, nullish or nullishAsync
• Change _addIssue to not ignore empty strings as error message (pull request #​1065)
• Change ISO_DATE_TIME_REGEX and ISO_TIMESTAMP_REGEX to support space as separator (pull request #​1064)
• Change pipe tuple of pipe and pipeAsync to be readonly by default
• Change forward, forwardCheck, partialCheck and partialCheckAsync to improve TypeScript performance (issue #​987)
• Change DECIMAL_REGEX to support floats that start with a dot (pull request #​1086)
• Change exports to export only public types to reduce noise
• Refactor bytes, maxBytes, minBytes and notBytes action
• Fix implementation of nonOptional, nonOptionalAsync, nonNullable, nonNullableAsync, nonNullish and nonNullishAsync schema in edge cases (issue #​909)
• Fix instantiation error for any in PathKeys type (issue #​929)
• Fix TypeScript error of keyof method for objects with many keys (pull request #​988)
• Fix options filtering in enum_ schema (pull request #​941)
• Fix partialCheck and partialCheckAsync action for typed data with issues

v0.42.1

Compare Source

• Fix function type declaration of _run property

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.