bump ajv to 8.18.0 to address ReDoS CVE (GHSA-2g4f-4pwh-qvx6)

[Copilot]

ajv < 8.18.0 has a ReDoS vulnerability when using the $data option (GHSA-2g4f-4pwh-qvx6). This updates all direct and transitive references across the monorepo.

Changes

• libraries/rig-package/package.json and libraries/node-core-library/package.json — bump direct ajv dep from ~8.13.0 → ~8.18.0
• common/config/rush/pnpm-config.json — add globalOverrides entry to force all transitive consumers (e.g. webpack, ajv-keywords) to resolve ajv@8.18.0:

  // `ajv` versions < 8.18.0 have a ReDoS vulnerability when using the `$data` option
  // https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
  "ajv@<8.18.0": "8.18.0"

• Lockfiles regenerated — both default and build-tests-subspace lockfiles now resolve only ajv@8.18.0; previous entries for 6.12.6, 8.12.0, 8.13.0, and 8.17.1 are gone

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[rushstack] ajv must bump to 8.18.0 to address CVE</issue_title>
<issue_description>

Summary

various rushstack projects have a vulnerable version of ajv. We need to bump the version of ajv anywhere to 8.18.0
ajv has ReDoS when using $data option
GHSA-2g4f-4pwh-qvx6

Impacted projects include:

• @rushstack/eslint-config
• @rushstack/eslint-plugin
• @rushstack/eslint-plugin-packlets
• @rushstack/eslint-plugin-security
• @rushstack/node-core-library
• @rushstack/heft
• @rushstack/node-core-library
• @rushstack/set-webpack-public-path-plugin
• @rushstack/terminal
• @rushstack/webpack5-localization-plugin
• @rushstack/ts-command-line
• @rushstack/heft-sass-plugin
• @rushstack/typings-generator
• @rushstack/debug-certificate-manager
• @rushstack/heft-dev-cert-plugin
• @rushstack/heft-webpack5-plugin
  </issue_description>

<agent_instructions>- Update all direct references in package.json files in the repository

• Run rush update to update the lockfile
• Check to see if the pnpm-lock.yaml files still contain versions of ajv less than 8.18.0 (can search for lines that start with ajv@ and look for the version after the @; the leading space in the pattern is important)
• If there are earlier versions still in place, look for which packages consume said versions, and if the consuming packages are directly referenced in package.json files in the repository
• If consumers are directly referenced in workspace package.json files, report them in the PR comments, and suggest possible upgrades to those packages.
• If there were any nested dependencies on ajv still with a version less than 8.18.0, add an entry in pnpm-config.json globalOverrides for "ajv@<8.18.0": "8.18.0" with a comment linking to the GHSA issue.
• Run rush update --recheck to force the new pnpm-config.json to take effect
• Search the pnpm-lock.yaml files again for old versions of ajv and report</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [rushstack] ajv must bump to 8.18.0 to address CVE #5647

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[iclanton]

This won't bump it in the published packages - it'll just bump it inside this repo.