fix(deps): update dependency validator to v13.15.22 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
validator	13.11.0 → 13.15.22

GitHub Vulnerability Alerts

CVE-2025-56200

A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

CVE-2025-12758

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

---

Release Notes

validatorjs/validator.js (validator)

v13.15.22

Compare Source

Fixes, New Locales and Enhancements

• #​2622 isURL: fix regression with hostnames with ports @​mbtools
• #​2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #​2621 @​mbtools

v13.15.20

Compare Source

Fixes, New Locales and Enhancements

• #​2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #​2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #​2574 isBase64: improve padding regex @​KrayzeeKev
• #​2584 isVAT: improve FR locale @​iamAmer
• #​2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #​2563 @​stoneLeaf
  • #​2581 @​camillobruni

v13.15.15

Compare Source

Fixes, New Locales and Enhancements

• isMobilePhone
  • #​2514 improve el-CY locale @​rezk2ll
  • #​2512 improve pt-AO locale @​renaldodev
  • #​2502 improve ar-OM locale @​tomcastro
• #​2089 isIP: allow usage of option object @​pixelbucket-dev
• #​2526 isPassportNumber: improve CA locale @​evanbechtol
• #​2491 isBase64: improve validation based on RFC4648 @​aseyfpour
• #​2479 isPostalCode: improve FR locale @​Rajput-Balram
• #​2088 isBefore: allow usage of option object @​pixelbucket-dev
• #​2346 isRgbColor: allow second digit in rgba alpha value @​controlol
• #​2453 isIP: improve IPv6 regex @​ShreySinha02
• #​2052 isPostalCode: add PK locale @​mateeni-dev
• #​2529 isPostalCode: improve TW locale @​Crocsx
• #​2550 isPassportNumber: improve US locale @​yitzchak-schechter
• #​2553 isUUID: add loose option @​bc-m
• #​2551 isPostalCode: add BD locale @​tanvirrb
• #​2555 isLicensePlate: improve pt-PT locale @​castrosu
• Doc fixes and others:
  • #​2372 @​EmersonRabelo
  • #​2538 @​WikiRik
  • #​2539 @​WikiRik
  • #​2540 @​WikiRik
  • #​2549 @​WikiRik
  • #​2537 @​sgress454

v13.15.0

Compare Source

New Features / Validators

• #​2399 isISO31661Numeric @​RobinvanderVliet
• #​2294 isULID @​arafatkn
• #​2215 isISO15924 @​xDivisionByZerox

Fixes, New Locales and Enhancements

• isMobilePhone
  • #​2395 add es-GT locale @​ignaciosuarezquilis
  • #​1971 improve en-GB locale @​ihmpavel
  • #​2359 improve uk-UA locale @​arttiger
  • #​2350 improve ky-KG locale @​sadraliev
  • #​2482 improve en-ZM locale @​sonikishan
  • #​2362 improve en-GH locale @​NanaAb-116
  • #​2500 add mk-MK locale @​eshward95
  • #​2534 improve sq-AL locale @​nichoola
• #​2406 isBtcAddress support all address formats and testnets @​madoke
• #​2339 isIBAN improve VG regex @​ST-DDT
• #​2332 isISO4217 update currency codes @​cbodtorf
• #​2291 isIdentityCard add PK locale @​Daniyal-Qureshi
• #​2414 isEmail fix blacklist_chars @​keshavlingala
• #​2416 isInt/isFloat handle undefined and null values @​Daniyal-Qureshi
• #​2415 isPostalCode add CO locale @​jorgevrgs
• #​2404 isPassportNumber export passportNumberLocales @​derekparnell
• #​2029 isRgbColor add allowSpaces option @​a-h-i
• #​2421 isUUID require valid variant field and require RFC9562 UUID in version all @​broofa
• #​2439 isURL add max_allowed_length option @​pinkiesky
• #​2437 isEmail reject starting with double quotes @​code0emperor
• #​2333 isLicensePlate add en-SG locale @​Sabarinathan07
• #​2441 normalizeEmail add yandex_convert_yandexru option @​AayushGH
• #​2443 isDate return false instead of Error in certain cases @​pano9000
• #​2474 isLength add discreteLengths option @​Suven-p
• #​2481 isDate disallow mismatching length in strictMode @​sonikishan
• #​2492 isISO6346 set check digit to 0 if remainder is 10 @​joelcuy
• #​2493 isPostalCode improve BR locale @​ticmaisdev
• #​2494 isEmail allow regexp in host_whitelist and host_blacklist @​weikangchia
• #​2518 isIBAN improve IE/PS regex @​Tarasz57
• Doc fixes and others:
  • #​2402 @​BibhushanKarki
  • #​2394 @​RobinvanderVliet
  • #​1732 @​alguerocode
  • #​2413 @​rubiin
  • #​2408 @​profnandaa
  • #​2411 @​rubiin
  • #​2325 @​ovarn
  • #​2418 @​ihmpavel
  • #​2323 @​ovarn
  • #​2423 @​rubiin
  • #​2409 @​profnandaa
  • #​2442 @​pano9000

v13.12.0

Compare Source

New Features / Validators

• #​2143 isAbaRouting @​songyuew

Fixes, New Locales and Enhancements

• #​2207 isLicensePlate add Pakistani en-PK locale @​anasshakil
• #​2208 isPort fix invalid leading zeros @​anasshakil
• #​2224 isTaxID added Argentina es-AR locale @​estefrare
• #​2257 isDate timezone offset fix @​tomaspanek
• #​2265 isPassportNumber added ZA locale @​GMorris-professional
• isMobilePhone:
  • #​2267 added en-MW locale @​SimranSiddiqui
  • #​2140 fix am-AM locale @​AlexKrupko
• #​2271 isPostalAddress fix NL locale @​RobinvanderVliet
• #​2273 isISO4217 add SLE currency @​urg
• #​2278 isStrongPassword fix symbolRegex to include \ @​nandavikas
• #​2279 isVAT fixed KZ locale @​MatthieuLemoine
• #​2285 isAlpha, isAlphanumeric added eo locale @​RobinvanderVliet
• #​2320 isIBAN add Algeria DZ locale @​thibault-lr
• #​2343 isVATimprove AU locale @​matthewberryman
• #​2345 isUUID add support for v7 @​ruscon
• #​2358 isTaxID add Ukraine uk-UA locale @​arttiger
• #​2381 isDate disallow hiphen before year @​Sumit-tech-joshi
• Doc fixes and others:
  • #​2276 @​meyfa
  • #​2341 @​WikiRik
  • #​2364 @​rubiin
  • #​2368 @​ZhulinskiiDanil
  • #​2371 @​devmanbud
  • #​2386 @​alinaghale88

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[safedep]

SafeDep Report Summary

⚠ 1 packages are identified as suspicious, human review is recommended.

Package Details

Package	Malware	Vulnerability	Risky License	Report
validator @ 13.15.22 pnpm-lock.yaml				🔗

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

📦 Next.js Bundle Analysis for mx-kami

This analysis was generated by the Next.js Bundle Analysis action. 🤖

🎉 Global Bundle Size Decreased

Page	Size (compressed)
global	220.36 KB (-2 B)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

Three Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load	% of Budget (350 KB)
/[locale]/[page]	51.03 KB	271.39 KB	77.54% (+/- <0.01%)
/[locale]/notes/[id]	74.03 KB	294.39 KB	84.11% (+/- <0.01%)
/[locale]/recently	95.77 KB	316.13 KB	90.32% (🟡 +0.07%)

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

The "Budget %" column shows what percentage of your performance budget the First Load total takes up. For example, if your budget was 100kb, and a given page's first load size was 10kb, it would be 10% of your budget. You can also see how much this has increased or decreased compared to the base branch of your PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this. If you see "+/- <0.01%" it means that there was a change in bundle size, but it is a trivial enough amount that it can be ignored.