fix(deps): update dependency validator to v13.15.22 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
validator	13.15.15 → 13.15.22

GitHub Vulnerability Alerts

CVE-2025-56200

A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

CVE-2025-12758

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

---

Release Notes

validatorjs/validator.js (validator)

v13.15.22

Compare Source

Fixes, New Locales and Enhancements

• #​2622 isURL: fix regression with hostnames with ports @​mbtools
• #​2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #​2621 @​mbtools

v13.15.20

Compare Source

Fixes, New Locales and Enhancements

• #​2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #​2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #​2574 isBase64: improve padding regex @​KrayzeeKev
• #​2584 isVAT: improve FR locale @​iamAmer
• #​2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #​2563 @​stoneLeaf
  • #​2581 @​camillobruni

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.78%. Comparing base (0be8d6b) to head (2bd9b43).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1940   +/-   ##
=======================================
  Coverage   92.78%   92.78%           
=======================================
  Files          36       36           
  Lines        1358     1358           
  Branches      273      273           
=======================================
  Hits         1260     1260           
  Misses         68       68           
  Partials       30       30           

Flag	Coverage Δ
aarch64	92.56% <ø> (ø)
aarch64-without-git	92.56% <ø> (ø)
alpine	92.78% <ø> (ø)
alpine-proxy	92.56% <ø> (ø)
alpine-without-git	92.78% <ø> (ø)
linux	92.56% <ø> (ø)
linux-without-git	92.56% <ø> (ø)
macos	92.56% <ø> (ø)
macos-arm64	92.56% <ø> (ø)
macos-arm64-without-git	92.56% <ø> (ø)
macos-without-git	92.56% <ø> (ø)
macos-x64	92.56% <ø> (ø)
macos-x64-without-git	92.56% <ø> (ø)
windows	92.56% <ø> (ø)
windows-without-git	92.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.