Skip to content

Update dependency effect to v3.19.8 #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
renovate wants to merge 119 commits into from
Closed

Update dependency effect to v3.19.8 #138

renovate wants to merge 119 commits into from
+900 −1,091

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 13, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
effect (source) 3.16.12 -> 3.19.8 age confidence

Release Notes

Effect-TS/effect (effect)

v3.19.8

Compare Source

Patch Changes
  • #​5815 f03b8e5 Thanks @​lokhmakov! - Prevent multiple iterations over the same Iterable in Array.intersectionWith and Array.differenceWith

v3.19.7

Compare Source

Patch Changes

v3.19.6

Compare Source

Patch Changes

v3.19.5

Compare Source

Patch Changes

v3.19.4

Compare Source

Patch Changes

  • #​5752 f445b87 Thanks @​janglad! - Fix Types.DeepMutable mapping over functions

  • #​5757 d2b68ac Thanks @​tim-smart! - add experimental PartitionedSemaphore module

    A PartitionedSemaphore is a concurrency primitive that can be used to
    control concurrent access to a resource across multiple partitions identified
    by keys.

    The total number of permits is shared across all partitions, with waiting
    permits equally distributed among partitions using a round-robin strategy.

    This is useful when you want to limit the total number of concurrent accesses
    to a resource, while still allowing for fair distribution of access across
    different partitions.

    import { Effect, PartitionedSemaphore } from "effect"

Effect.gen(function* () {
  const semaphore = yield* PartitionedSemaphore.make<string>({ permits: 5 })

  // Take the first 5 permits with key "A", then the following permits will be
  // equally distributed between all the keys using a round-robin strategy
  yield* Effect.log("A").pipe(
    Effect.delay(1000),
    semaphore.withPermits("A", 1),
    Effect.replicateEffect(15, { concurrency: "unbounded" }),
    Effect.fork
  )
  yield* Effect.log("B").pipe(
    Effect.delay(1000),
    semaphore.withPermits("B", 1),
    Effect.replicateEffect(10, { concurrency: "unbounded" }),
    Effect.fork
  )
  yield* Effect.log("C").pipe(
    Effect.delay(1000),
    semaphore.withPermits("C", 1),
    Effect.replicateEffect(10, { concurrency: "unbounded" }),
    Effect.fork
  )

  return yield* Effect.never
}).pipe(Effect.runFork)

v3.19.3

Compare Source

Patch Changes

v3.19.2

Compare Source

Patch Changes

v3.19.1

Compare Source

Patch Changes

v3.19.0

Compare Source

Minor Changes
Patch Changes

v3.18.5

Compare Source

Patch Changes

  • #​5669 a537469 Thanks @​fubhy! - Fix Graph.neighbors() returning self-loops in undirected graphs.

    Graph.neighbors() now correctly returns the other endpoint for undirected graphs instead of always returning edge.target, which caused nodes to appear as their own neighbors when queried from the target side of an edge.

  • #​5628 52d5963 Thanks @​mikearnaldi! - Make sure AsEffect is computed

  • #​5671 463345d Thanks @​gcanti! - JSON Schema generation: add jsonSchema2020-12 target and fix tuple output for:

    • JSON Schema 2019-09
    • OpenAPI 3.1

v3.18.4

Compare Source

Patch Changes

  • #​5617 6ae2f5d Thanks @​gcanti! - JSONSchema: Fix issue where invalid defaults were included in the output.

    Now they are ignored, similar to invalid examples.

    Before

    import { JSONSchema, Schema } from "effect"

const schema = Schema.NonEmptyString.annotations({
  default: ""
})

const jsonSchema = JSONSchema.make(schema)

console.log(JSON.stringify(jsonSchema, null, 2))
/*
Output:
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "string",
  "description": "a non empty string",
  "title": "nonEmptyString",
  "default": "",
  "minLength": 1
}
*/

    After

    import { JSONSchema, Schema } from "effect"

const schema = Schema.NonEmptyString.annotations({
  default: ""
})

const jsonSchema = JSONSchema.make(schema)

console.log(JSON.stringify(jsonSchema, null, 2))
/*
Output:
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "string",
  "description": "a non empty string",
  "title": "nonEmptyString",
  "minLength": 1
}
*/

v3.18.3

Compare Source

Patch Changes

  • #​5612 25fab81 Thanks @​gcanti! - Fix JSON Schema generation with topLevelReferenceStrategy: "skip", closes #​5611

    This patch fixes a bug that occurred when generating JSON Schemas with nested schemas that had identifiers, while using topLevelReferenceStrategy: "skip".

    Previously, the generator would still output $ref entries even though references were supposed to be skipped, leaving unresolved definitions.

    Before

    import { JSONSchema, Schema } from "effect"

const A = Schema.Struct({ value: Schema.String }).annotations({
  identifier: "A"
})
const B = Schema.Struct({ a: A }).annotations({ identifier: "B" })

const definitions = {}
console.log(
  JSON.stringify(
    JSONSchema.fromAST(B.ast, {
      definitions,
      topLevelReferenceStrategy: "skip"
    }),
    null,
    2
  )
)
/*
{
  "type": "object",
  "required": ["a"],
  "properties": {
    "a": {
      "$ref": "#/$defs/A"
    }
  },
  "additionalProperties": false
}
*/
console.log(definitions)
/*
{
  A: {
    type: "object",
    required: ["value"],
    properties: { value: [Object] },
    additionalProperties: false
  }
}
*/

    After

    import { JSONSchema, Schema } from "effect"

const A = Schema.Struct({ value: Schema.String }).annotations({
  identifier: "A"
})
const B = Schema.Struct({ a: A }).annotations({ identifier: "B" })

const definitions = {}
console.log(
  JSON.stringify(
    JSONSchema.fromAST(B.ast, {
      definitions,
      topLevelReferenceStrategy: "skip"
    }),
    null,
    2
  )
)
/*
{
  "type": "object",
  "required": ["a"],
  "properties": {
    "a": {
      "type": "object",
      "required": ["value"],
      "properties": {
        "value": { "type": "string" }
      },
      "additionalProperties": false
    }
  },
  "additionalProperties": false
}
*/
console.log(definitions)
/*
{}
*/

    Now schemas are correctly inlined, and no leftover $ref entries or unused definitions remain.

v3.18.2

Compare Source

Patch Changes

v3.18.1

Compare Source

Patch Changes

v3.18.0

Compare Source

Minor Changes

  • #​5302 1c6ab74 Thanks @​schickling! - Add experimental Graph module with comprehensive graph data structure support

    This experimental module provides:

    • Directed and undirected graph support
    • Immutable and mutable graph variants
    • Type-safe node and edge operations
    • Graph algorithms: DFS, BFS, shortest paths, cycle detection, etc.

    Example usage:

    import { Graph } from "effect"

// Create a graph with mutations
const graph = Graph.directed<string, number>((mutable) => {
  const nodeA = Graph.addNode(mutable, "Node A")
  const nodeB = Graph.addNode(mutable, "Node B")
  Graph.addEdge(mutable, nodeA, nodeB, 5)
})

console.log(
  `Nodes: ${Graph.nodeCount(graph)}, Edges: ${Graph.edgeCount(graph)}`
)

  • #​5302 70fe803 Thanks @​mikearnaldi! - Automatically set otel parent when present as external span

  • #​5302 c296e32 Thanks @​tim-smart! - add Effect.Semaphore.resize

  • #​5302 a098ddf Thanks @​mikearnaldi! - Introduce ReadonlyTag as the covariant side of a tag, enables:

    import type { Context } from "effect"
import { Effect } from "effect"

export class MyRequirement extends Effect.Service<MyRequirement>()(
  "MyRequirement",
  { succeed: () => 42 }
) {}

export class MyUseCase extends Effect.Service<MyUseCase>()("MyUseCase", {
  dependencies: [MyRequirement.Default],
  effect: Effect.gen(function* () {
    const requirement = yield* MyRequirement
    return Effect.fn("MyUseCase.execute")(function* () {
      return requirement()
    })
  })
}) {}

export function effectHandler<I, Args extends Array<any>, A, E, R>(
  service: Context.ReadonlyTag<I, (...args: Args) => Effect.Effect<A, E, R>>
) {
  return Effect.fn("effectHandler")(function* (...args: Args) {
    const execute = yield* service
    yield* execute(...args)
  })
}

export const program = effectHandler(MyUseCase)

v3.17.14

Compare Source

Patch Changes

v3.17.13

Compare Source

Patch Changes

v3.17.12

Compare Source

Patch Changes

v3.17.11

Compare Source

Patch Changes

v3.17.10

Compare Source

Patch Changes

  • #​5368 3b26094 Thanks @​gcanti! - ## Annotation Behavior

    When you call .annotations on a schema, any identifier annotations that were previously set will now be removed. Identifiers are now always tied to the schema's ast reference (this was the intended behavior).

    Example

    import { JSONSchema, Schema } from "effect"

const schema = Schema.URL

console.log(JSON.stringify(JSONSchema.make(schema), null, 2))
/*
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$defs": {
    "URL": {
      "type": "string",
      "description": "a string to be decoded into a URL"
    }
  },
  "$ref": "#/$defs/URL"
}
*/

const annotated = Schema.URL.annotations({ description: "description" })

console.log(JSON.stringify(JSONSchema.make(annotated), null, 2))
/*
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "string",
  "description": "description"
}
*/

v3.17.9

Compare Source

Patch Changes

v3.17.8

Compare Source

Patch Changes

v3.17.7

Compare Source

Patch Changes

v3.17.6

Compare Source

Patch Changes

v3.17.5

Compare Source

Patch Changes

v3.17.4

Compare Source

Patch Changes

v3.17.3

Compare Source

Patch Changes

  • #​5275 3504555 Thanks @​taylornz! - fix DateTime.makeZoned handling of DST transitions

  • #​5282 f6c7ca7 Thanks @​beezee! - Improve inference on Metric.trackSuccessWith for use in Effect.pipe(...)

  • #​5275 3504555 Thanks @​taylornz! - add DateTime.Disambiguation for handling DST edge cases

    Added four disambiguation strategies to DateTime.Zoned constructors for handling DST edge cases:

    • 'compatible' - Maintains backward compatibility
    • 'earlier' - Choose earlier time during ambiguous periods (default)
    • 'later' - Choose later time during ambiguous periods
    • 'reject' - Throw error for ambiguous times

v3.17.2

Compare Source

Patch Changes

v3.17.1

Compare Source

Patch Changes

v3.17.0

Compare Source

Minor Changes

  • #​4949 40c3c87 Thanks @​fubhy! - Added Random.fixed to create a version of the Random service with fixed
    values for testing.

  • #​4949 ed2c74a Thanks @​dmaretskyi! - Add Struct.entries function

  • #​4949 073a1b8 Thanks @​f15u! - Add Layer.mock

    Creates a mock layer for testing purposes. You can provide a partial
    implementation of the service, and any methods not provided will
    throw an UnimplementedError defect when called.

    import { Context, Effect, Layer } from "effect"

class MyService extends Context.Tag("MyService")<
  MyService,
  {
    one: Effect.Effect<number>
    two(): Effect.Effect<number>
  }
>() {}

const MyServiceTest = Layer.mock(MyService, {
  two: () => Effect.succeed(2)
})

  • #​4949 f382e99 Thanks @​KhraksMamtsov! - Schedule output has been added into CurrentIterationMetadata

  • #​4949 e8c7ba5 Thanks @​mikearnaldi! - Remove global state index by version, make version mismatch a warning message

  • #​4949 7e10415 Thanks @​devinjameson! - Array: add findFirstWithIndex function

  • #​4949 e9bdece Thanks @​vinassefranche! - Add HashMap.countBy

    import { HashMap } from "effect"

const map = HashMap.make([1, "a"], [2, "b"], [3, "c"])
const result = HashMap.countBy(map, (_v, key) => key % 2 === 1)
console.log(result) // 2

  • #​4949 8d95eb0 Thanks @​tim-smart! - add Effect.ensure{Success,Error,Requirements}Type, for constraining Effect types

v3.16.17

Compare Source

Patch Changes

v3.16.16

Compare Source

Patch Changes

v3.16.15

Compare Source

Patch Changes
  • #​5222 15df9bf Thanks @​gcanti! - Schema.attachPropertySignature: simplify signature and fix parameter type to use Schema instead of SchemaClass

v3.16.14

Compare Source

Patch Changes

  • #​5213 f5dfabf Thanks @​gcanti! - Fix incorrect schema ID annotation in Schema.lessThanOrEqualToDate, closes #​5212

  • #​5192 17a5ea8 Thanks @​nikelborm! - Updated deprecated OTel Resource attributes names and values.

    Many of the attributes have undergone the process of deprecation not once, but twice. Most of the constants holding attribute names have been renamed. These are minor changes.

    Additionally, there were numerous changes to the attribute keys themselves. These changes can be considered major.

    In the @opentelemetry/semantic-conventions package, new attributes having ongoing discussion about them are going through a process called incubation, until a consensus about their necessity and form is reached. Otel team recommends devs to copy them directly into their code. Luckily, it's not necessary because all of the new attribute names and values came out of this process (some of them were changed again) and are now considered stable.

v3.16.13

Compare Source

Patch Changes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot and others added 30 commits May 20, 2025 20:02
@renovate
chore(deps): update dependency @types/node to v20.17.49
ef7f8ee
@mmkal
Merge remote-tracking branch 'origin/main' into deps
0a6156f
@renovate
chore(deps): update dependency @types/node to v20.17.50
98289fc
@renovate
chore(deps): update dependency effect to v3.15.3
14bac90
@renovate
chore(deps): update dependency @inquirer/prompts to v7.5.2
89be45c
@renovate
chore(deps): update dependency effect to v3.15.4
9af45ab
@renovate
fix(deps): update dependency zod to v3.25.28
e6b6ee3
@renovate
chore(deps): update dependency @inquirer/prompts to v7.5.3
528f0a5
@renovate
chore(deps): update dependency @types/node to v20.17.51
a194470
@renovate
chore(deps): update dependency effect to v3.16.0
216d00a
@renovate
chore(deps): update dependency pkg-pr-new to ^0.0.51
f6ebc1d
@renovate
chore(deps): update dependency @types/node to v20.17.52
b006b1b
@renovate
chore(deps): update dependency effect to v3.16.1
7091f89
@renovate
chore(deps): update dependency effect to v3.16.2
32bd382
@renovate
chore(deps): update dependency @types/node to v20.17.55
eda7421
@renovate
chore(deps): update dependency @types/node to v20.17.57
d6b4fc4
@renovate
chore(deps): update dependency effect to v3.16.3
8c2d3bc
@renovate
chore(deps): update dependency @valibot/to-json-schema to v1.3.0
b26c449
@renovate
chore(deps): update dependency vitest to v3.2.0
525cb5c
@renovate
chore(deps): update pnpm to v10.11.1
5e2c8d2
@renovate
fix(deps): update dependency @trpc/server to v11.2.0 (#92)
e8cfd08 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@trpc/server](https://trpc.io)
([source](https://redirect.github.com/trpc/trpc/tree/HEAD/packages/server))
| [`11.1.2` ->
`11.2.0`](https://renovatebot.com/diffs/npm/@trpc%2fserver/11.1.2/11.2.0)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@trpc%2fserver/11.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@trpc%2fserver/11.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@trpc%2fserver/11.1.2/11.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@trpc%2fserver/11.1.2/11.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/mmkal/trpc-cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4xNi4wIiwidXBkYXRlZEluVmVyIjoiNDAuMzMuNiIsInRhcmdldEJyYW5jaCI6ImRlcHMiLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
fix(deps): update dependency zod to v3.25.49 (#93)
6d3f647 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [zod](https://zod.dev)
([source](https://redirect.github.com/colinhacks/zod)) | [`3.25.28` ->
`3.25.49`](https://renovatebot.com/diffs/npm/zod/3.25.28/3.25.49) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/zod/3.25.49?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/zod/3.25.49?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/zod/3.25.28/3.25.49?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/zod/3.25.28/3.25.49?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/mmkal/trpc-cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4xNi4wIiwidXBkYXRlZEluVmVyIjoiNDAuMzMuNiIsInRhcmdldEJyYW5jaCI6ImRlcHMiLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
chore(deps): update dependency vitest to v3.2.1
9abac62
@renovate
fix(deps): update dependency zod to v3.25.50
92323f3
@renovate
fix(deps): update dependency zod to v3.25.51
9646531
@renovate
fix(deps): update dependency @trpc/server to v11.3.0
f4a3bc9
@renovate
chore(deps): update dependency effect to v3.16.4
97a0191
@renovate
chore(deps): update dependency vitest to v3.2.2
aae3e36
@renovate
fix(deps): update dependency @trpc/server to v11.3.1
9f790e5
@renovate
fix(deps): update dependency zod to v3.25.56
37b710e
@renovate renovate bot force-pushed the renovate/effect-3.x branch from 83e4f19 to d64031c Compare November 9, 2025 09:03
@renovate renovate bot changed the title Update dependency effect to v3.19.2 Update dependency effect to v3.19.3 Nov 9, 2025
@renovate renovate bot changed the title Update dependency effect to v3.19.3 chore(deps): update dependency effect to v3.19.3 Nov 11, 2025
@renovate renovate bot changed the title chore(deps): update dependency effect to v3.19.3 Update dependency effect to v3.19.3 Nov 11, 2025
@renovate renovate bot changed the title Update dependency effect to v3.19.3 chore(deps): update dependency effect to v3.19.3 Nov 15, 2025
@renovate renovate bot force-pushed the renovate/effect-3.x branch from d64031c to ecc3195 Compare November 15, 2025 23:27
@renovate renovate bot force-pushed the renovate/effect-3.x branch from ecc3195 to 40ff701 Compare November 15, 2025 23:40
@renovate renovate bot changed the title chore(deps): update dependency effect to v3.19.3 Update dependency effect to v3.19.3 Nov 16, 2025
@renovate renovate bot changed the title Update dependency effect to v3.19.3 Update dependency effect to v3.19.4 Nov 17, 2025
@renovate renovate bot force-pushed the renovate/effect-3.x branch from 40ff701 to 2e922d7 Compare November 17, 2025 06:00
@renovate renovate bot changed the title Update dependency effect to v3.19.4 chore(deps): update dependency effect to v3.19.4 Nov 18, 2025
@renovate renovate bot changed the title chore(deps): update dependency effect to v3.19.4 Update dependency effect to v3.19.4 Nov 19, 2025
@renovate renovate bot changed the title Update dependency effect to v3.19.4 Update dependency effect to v3.19.5 Nov 20, 2025
@renovate renovate bot force-pushed the renovate/effect-3.x branch 2 times, most recently from 053ef73 to 41ffb9b Compare November 21, 2025 02:11
@renovate renovate bot changed the title Update dependency effect to v3.19.5 Update dependency effect to v3.19.6 Nov 21, 2025
@renovate renovate bot changed the title Update dependency effect to v3.19.6 Update dependency effect to v3.19.7 Nov 27, 2025
@renovate renovate bot force-pushed the renovate/effect-3.x branch from 41ffb9b to 806f069 Compare November 27, 2025 05:02
@renovate renovate bot changed the title Update dependency effect to v3.19.7 Update dependency effect to v3.19.8 Nov 27, 2025
@renovate renovate bot force-pushed the renovate/effect-3.x branch from 806f069 to 26c2c05 Compare November 27, 2025 21:09
renovate bot and others added 2 commits December 1, 2025 09:31
@renovate @mmkal
Update dependency valibot to v1.2.0 [SECURITY] (#162)
e914fb3 
This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [valibot](https://valibot.dev)
([source](https://redirect.github.com/open-circle/valibot)) | [`1.1.0`
-> `1.2.0`](https://renovatebot.com/diffs/npm/valibot/1.1.0/1.2.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/valibot/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/valibot/1.1.0/1.2.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-66020](https://redirect.github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9)

### Summary

The `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular
Expression Denial of Service (ReDoS) attack. A short, maliciously
crafted string (e.g., <100 characters) can cause the regex engine to
consume excessive CPU time (minutes), leading to a Denial of Service
(DoS) for the application.

### Details

The ReDoS vulnerability stems from "catastrophic backtracking" in the
`EMOJI_REGEX`. This is caused by ambiguity in the regex pattern due to
overlapping character classes.

Specifically, the class `\p{Emoji_Presentation}` overlaps with more
specific classes used in the same alternation, such as
`[\u{1F1E6}-\u{1F1FF}]` (regional indicator symbols used for flags) and
`\p{Emoji_Modifier_Base}`.

When the regex engine attempts to match a string that almost matches but
ultimately fails (like the one in the PoC), this ambiguity forces it to
explore an exponential number of possible paths. The matching time
increases exponentially with the length of the crafted input, rather
than linearly.

### PoC

The following code demonstrates the vulnerability.

```javascript
import * as v from 'valibot';

const schema = v.object({
  x: v.pipe(v.string(), v.emoji()),
});

const attackString = '\u{1F1E6}'.repeat(49) + '0';

console.log(`Input length: ${attackString.length}`);
console.log('Starting parse... (This will take a long time)');

// On my machine, a length of 99 takes approximately 2 minutes.
console.time();
try {
  v.parse(schema, {x: attackString });
} catch (e) {}
console.timeEnd();
```

### Impact

Any project using Valibot's `emoji` validation on user-controllable
input is vulnerable to a Denial of Service attack.

An attacker can block server resources (e.g., a web server's event loop)
by submitting a short string to any endpoint that uses this validation.
This is particularly dangerous because the attack string is short enough
to bypass typical input length restrictions (e.g., maxLength(100)).

### Recommended Fix

The root cause is the overlapping character classes. This can be
resolved by making the alternatives mutually exclusive, typically by
using negative lookaheads (`(?!...)`) to subtract the specific classes
from the more general one.

The following modified `EMOJI_REGEX` applies this principle:

```javascript
export const EMOJI_REGEX: RegExp =
  // eslint-disable-next-line redos-detector/no-unsafe-regex, regexp/no-dupe-disjunctions -- false positives
  /^(?:[\u{1F1E6}-\u{1F1FF}]{2}|\u{1F3F4}[\u{E0061}-\u{E007A}]{2}[\u{E0030}-\u{E0039}\u{E0061}-\u{E007A}]{1,3}\u{E007F}|(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|(?![\p{Emoji_Modifier_Base}\u{1F1E6}-\u{1F1FF}])\p{Emoji_Presentation})(?:\u200D(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|(?![\p{Emoji_Modifier_Base}\u{1F1E6}-\u{1F1FF}])\p{Emoji_Presentation}))*)+$/u;
```

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/mmkal/trpc-cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xOS45IiwidXBkYXRlZEluVmVyIjoiNDIuMTkuOSIsInRhcmdldEJyYW5jaCI6ImRlcHMiLCJsYWJlbHMiOltdfQ==-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Misha Kaletsky <[email protected]>
@renovate
chore(deps): update dependency effect to v3.19.8
2c2d3fb
@renovate renovate bot changed the title Update dependency effect to v3.19.8 chore(deps): update dependency effect to v3.19.8 Dec 1, 2025
@renovate renovate bot force-pushed the renovate/effect-3.x branch from 26c2c05 to 2c2d3fb Compare December 1, 2025 09:33
@mmkal mmkal closed this Dec 1, 2025
@renovate renovate bot changed the title chore(deps): update dependency effect to v3.19.8 Update dependency effect to v3.19.8 Dec 1, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Dec 1, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (3.19.8). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mmkal