chore(deps): update dependency validator to v13.15.22 [security]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
validator	13.6.0 → 13.15.22

GitHub Vulnerability Alerts

CVE-2021-3765

validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity

GHSA-xx4c-jj58-r7x6

Impact

Versions of validator prior to 13.7.0 are affected by an inefficient Regular Expression complexity when using the rtrim and trim sanitizers.

Patches

The problem has been patched in validator 13.7.0

CVE-2025-56200

A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

CVE-2025-12758

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

---

Release Notes

validatorjs/validator.js (validator)

v13.15.22

Compare Source

Fixes, New Locales and Enhancements

• #​2622 isURL: fix regression with hostnames with ports @​mbtools
• #​2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #​2621 @​mbtools

v13.15.20

Compare Source

Fixes, New Locales and Enhancements

• #​2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #​2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #​2574 isBase64: improve padding regex @​KrayzeeKev
• #​2584 isVAT: improve FR locale @​iamAmer
• #​2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #​2563 @​stoneLeaf
  • #​2581 @​camillobruni

v13.15.15

Compare Source

Fixes, New Locales and Enhancements

• isMobilePhone
  • #​2514 improve el-CY locale @​rezk2ll
  • #​2512 improve pt-AO locale @​renaldodev
  • #​2502 improve ar-OM locale @​tomcastro
• #​2089 isIP: allow usage of option object @​pixelbucket-dev
• #​2526 isPassportNumber: improve CA locale @​evanbechtol
• #​2491 isBase64: improve validation based on RFC4648 @​aseyfpour
• #​2479 isPostalCode: improve FR locale @​Rajput-Balram
• #​2088 isBefore: allow usage of option object @​pixelbucket-dev
• #​2346 isRgbColor: allow second digit in rgba alpha value @​controlol
• #​2453 isIP: improve IPv6 regex @​ShreySinha02
• #​2052 isPostalCode: add PK locale @​mateeni-dev
• #​2529 isPostalCode: improve TW locale @​Crocsx
• #​2550 isPassportNumber: improve US locale @​yitzchak-schechter
• #​2553 isUUID: add loose option @​bc-m
• #​2551 isPostalCode: add BD locale @​tanvirrb
• #​2555 isLicensePlate: improve pt-PT locale @​castrosu
• Doc fixes and others:
  • #​2372 @​EmersonRabelo
  • #​2538 @​WikiRik
  • #​2539 @​WikiRik
  • #​2540 @​WikiRik
  • #​2549 @​WikiRik
  • #​2537 @​sgress454

v13.15.0

Compare Source

New Features / Validators

• #​2399 isISO31661Numeric @​RobinvanderVliet
• #​2294 isULID @​arafatkn
• #​2215 isISO15924 @​xDivisionByZerox

Fixes, New Locales and Enhancements

• isMobilePhone
  • #​2395 add es-GT locale @​ignaciosuarezquilis
  • #​1971 improve en-GB locale @​ihmpavel
  • #​2359 improve uk-UA locale @​arttiger
  • #​2350 improve ky-KG locale @​sadraliev
  • #​2482 improve en-ZM locale @​sonikishan
  • #​2362 improve en-GH locale @​NanaAb-116
  • #​2500 add mk-MK locale @​eshward95
  • #​2534 improve sq-AL locale @​nichoola
• #​2406 isBtcAddress support all address formats and testnets @​madoke
• #​2339 isIBAN improve VG regex @​ST-DDT
• #​2332 isISO4217 update currency codes @​cbodtorf
• #​2291 isIdentityCard add PK locale @​Daniyal-Qureshi
• #​2414 isEmail fix blacklist_chars @​keshavlingala
• #​2416 isInt/isFloat handle undefined and null values @​Daniyal-Qureshi
• #​2415 isPostalCode add CO locale @​jorgevrgs
• #​2404 isPassportNumber export passportNumberLocales @​derekparnell
• #​2029 isRgbColor add allowSpaces option @​a-h-i
• #​2421 isUUID require valid variant field and require RFC9562 UUID in version all @​broofa
• #​2439 isURL add max_allowed_length option @​pinkiesky
• #​2437 isEmail reject starting with double quotes @​code0emperor
• #​2333 isLicensePlate add en-SG locale @​Sabarinathan07
• #​2441 normalizeEmail add yandex_convert_yandexru option @​AayushGH
• #​2443 isDate return false instead of Error in certain cases @​pano9000
• #​2474 isLength add discreteLengths option @​Suven-p
• #​2481 isDate disallow mismatching length in strictMode @​sonikishan
• #​2492 isISO6346 set check digit to 0 if remainder is 10 @​joelcuy
• #​2493 isPostalCode improve BR locale @​ticmaisdev
• #​2494 isEmail allow regexp in host_whitelist and host_blacklist @​weikangchia
• #​2518 isIBAN improve IE/PS regex @​Tarasz57
• Doc fixes and others:
  • #​2402 @​BibhushanKarki
  • #​2394 @​RobinvanderVliet
  • #​1732 @​alguerocode
  • #​2413 @​rubiin
  • #​2408 @​profnandaa
  • #​2411 @​rubiin
  • #​2325 @​ovarn
  • #​2418 @​ihmpavel
  • #​2323 @​ovarn
  • #​2423 @​rubiin
  • #​2409 @​profnandaa
  • #​2442 @​pano9000

v13.12.0

Compare Source

New Features / Validators

• #​2143 isAbaRouting @​songyuew

Fixes, New Locales and Enhancements

• #​2207 isLicensePlate add Pakistani en-PK locale @​anasshakil
• #​2208 isPort fix invalid leading zeros @​anasshakil
• #​2224 isTaxID added Argentina es-AR locale @​estefrare
• #​2257 isDate timezone offset fix @​tomaspanek
• #​2265 isPassportNumber added ZA locale @​GMorris-professional
• isMobilePhone:
  • #​2267 added en-MW locale @​SimranSiddiqui
  • #​2140 fix am-AM locale @​AlexKrupko
• #​2271 isPostalAddress fix NL locale @​RobinvanderVliet
• #​2273 isISO4217 add SLE currency @​urg
• #​2278 isStrongPassword fix symbolRegex to include \ @​nandavikas
• #​2279 isVAT fixed KZ locale @​MatthieuLemoine
• #​2285 isAlpha, isAlphanumeric added eo locale @​RobinvanderVliet
• #​2320 isIBAN add Algeria DZ locale @​thibault-lr
• #​2343 isVATimprove AU locale @​matthewberryman
• #​2345 isUUID add support for v7 @​ruscon
• #​2358 isTaxID add Ukraine uk-UA locale @​arttiger
• #​2381 isDate disallow hiphen before year @​Sumit-tech-joshi
• Doc fixes and others:
  • #​2276 @​meyfa
  • #​2341 @​WikiRik
  • #​2364 @​rubiin
  • #​2368 @​ZhulinskiiDanil
  • #​2371 @​devmanbud
  • #​2386 @​alinaghale88

v13.11.0

Compare Source

New Features / Validators

• #​2144 isFreightContainerID: for shipping containers IDs @​songyuew
• #​2188 isMailtoURI @​uksarkar

Fixes, New Locales and Enhancements

• #​2025 isIBAN add MA locale @​lroudge
• #​2117 isCreditCard refactor @​pano9000
• #​2189 isLocale add support for more language tags @​kwahome
• #​2203 isVAT for CU @​jimmyorpheus
• #​2217 isJWT @​Prathamesh061
• #​2222 IsFQDN test enhancements @​aalekhpatel07
• #​2226 isAlpha, isAlphanumeric for kk-KZ @​BekStar7
• #​2229 isEmail support allow_underscores @​guspower
• #​2231 isDate enhance Date declaration compatibility across multiple environments @​CiprianS
• #​2235 isIBAN add white and blacklist options to the isIBAN validator @​edilson
• #​2237 isEmail do not allow non-breaking space in user part @​jeremy21212121
• isMobilePhone:
  • #​2175 so-SO @​ohersi
  • #​2176 fr-CF @​cheboi
  • #​2197 es-CU @​klaframboise
  • #​2202 pl-PL @​czerwony03
  • #​2209 fr-WF @​aidos42
  • #​2246 ar-SD @​Hussienma

v13.9.0

Compare Source

New Features / Validators

• #​1892 isISO6391: add ISO 639-1 validator @​braaar
• #​1974 isLuhnNumber @​ST-DDT

Fixes and Enhancements

• #​1865 isMACAddress: add EUI-validation @​WikiRik @​tux-tn

• #​1888 isBase32: add option for Crockford's base32 alternative @​BigOsvaap

• #​1916 isDataURI: fix mediaType format @​temoffey

• #​1920 isEmail: add host_whitelist option @​poor-coder

• #​1939 isFQDN: fix allow_numeric_tld option @​BigOsvaap

• #​1962 isIP: refactor @​UnKnoWn-Consortium

• #​1967 isLength @​ikkyu-3

• #​1992 isMagnetURI @​Rhilip @​tux-tn

• #​1995 isURL: fix check for host @​mortbauer

• #​2008 isCreditCard @​brianwhaley

• #​2075 isAfter: allow usage of option object @​WikiRik

• #​2114 isRgbColor @​pano9000

• #​2122 isDataURI: fix MIME types with underscores @​pano9000

• #​2148 isStrongPassword @​sandmule

• #​2157 isISBN: allow usage of option object @​WikiRik

• #​2170 isEmail: fix ignore_max_length for FQDN @​sakhmedbayev

• #​2020 isFloat: fix comma(,) passing as float @​frederike-ramin

• Documentation fixes:

  • #​1860 @​leonardovillela
  • #​1861 @​tux-tn
  • #​1957 @​tfilo
  • #​2010 @​marcelozarate
  • #​2107 @​pano9000
  • #​2160 @​WikiRik

• Code Refactors:

  • #​1942 @​CommanderRoot
  • #​1975 @​fedeci
  • #​2137 #​2132 @​pano9000

New and Improved Locales

• isAlpha, isAlphanumeric:

  • #​1678 bn-BD @​rak810
  • #​1996 si-LK @​melkorCBA
  • #​2014 ja-JP @​starcharles
  • #​1995 ko-KR @​Dongkyuuuu

• isBIC:

  • #​2046 XK @​import-brain

• isIdentityCard:

  • #​2142 hk-HK @​Dongkyuuuu

• isMobilePhone:

  • #​1813 my-MM, @​ferdousulhaque
  • #​1868 de-DE, @​thomaschaaf
  • #​1896 en-LS, @​DevilsAutumn
  • #​1897 el-CY, @​ikerasiotis
  • #​1909 es-NI, @​ajGingrich
  • #​1910 az-AZ, @​shaanaliyev
  • #​1922 ir-IR, @​ArashST79
  • #​1924 ky-KG, @​arsalanfiroozi
  • #​1925 ar-YE, ar-EH, fa-AF, @​Mustafiz04
  • #​1932 ro-MD, @​mik7up
  • #​1940 ar-YE, en-BS, @​savannahvaith
  • #​1952 ka-GE, @​avkvak
  • #​1964 #​1951 pt-BR, @​jhcaiafa @​matheusnascgomes
  • #​1983 es-HN, @​ademyan05
  • #​1985 nl-AW, @​adida948
  • #​1986 en-JM, @​ademyan05
  • #​1993 mn-MN, @​rksp25
  • #​1997 fr-BJ, @​rkuma552 @​rksp25
  • #​2001 mg-MG, @​ShivangiRai1310
  • #​2002 en-PG, @​kai2128
  • #​2004 en-AG, @​jiaweilow
  • #​2007 en-AI, @​elaine1129
  • #​2011 en-KN, @​Eelyneee
  • #​2041 fr-CD, @​coolbeatz71
  • #​2084 en-SS, @​cheboi
  • #​2109 dv-MV, @​pano9000
  • #​2129 en-HN, @​WikiRik
  • #​2148 ar-KW, @​Yazan-KE @​WikiRik
  • #​2112 el-GR, @​pano9000
  • #​2116 en-BM, @​pano9000
  • #​2155 ms-MY, @​pano9000
  • #​2156 ro-RO, @​pano9000

• isLicensePlate:

  • #​1665 sv-SE, @​elmaxe
  • #​1895 hu-HU, @​szabolcstarnai
  • #​1944 en-NI, @​NishantJS
  • #​1945 de-DE, @​bennetfabian
  • #​1945 de-DE, @​bennetfabian
  • #​2103 es-AR, @​alvarocastro

• isPassportNumber:

  • #​1515 JM,KZ,LI,NZ @​JuanFML
  • #​1814 TH @​TonPC64 @​braaar
  • #​2061 AZ @​djeks922
  • #​2073 PH,PK @​digambar-t7

• isPostalCode:

  • #​1951 BA, @​matheusnascgomes
  • #​2134 BY, @​pano9000
  • #​2136 IR, @​pano9000

• isTaxID:

  • #​1867 en-CA, @​boonya
  • #​1989 'AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI', 'FR', 'DE', 'EL', 'HU', 'IE', 'LV', 'LT', 'LU', 'MT', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE', 'AL', 'MK', 'AU', 'BY', 'CA', 'IS', 'IN', 'ID', 'IL', 'KZ', 'NZ', 'NG', 'NO', 'PH', 'RU', 'SM', 'SA', 'RS', 'CH', 'TR', 'UA', 'UZ', 'AR', 'BO', 'BR', 'CL', 'CO', 'CR', 'EC', 'SV', 'GT', 'HN', 'MX', 'NI', 'PA', 'PY', 'PE', 'DO', 'UY', 'VE' @​Dev1lDragon

13.7.0

New Features

• #​1706 isISO4217, currency code validator @​jpaya17

Fixes and Enhancements

• #​1647 isFQDN: add allow_wildcard option @​fasenderos
• #​1654 isRFC3339: Disallow prepended and appended strings to RFC 3339 date-time @​jmacmahon
• #​1658 maintenance: increase code coverage @​tux-tn
• #​1669 IBAN export list of country codes that implement IBAN @​dror-heller @​fedeci
• #​1676 isBoolean: add loose option @​brybrophy
• #​1697 maintenance: fix npm installation error @​rubiin
• #​1708 isISO31661Alpha3: perf @​jpaya17
• #​1711 isDate: allow users to strictly validate dates with . as delimiter @​flymans
• #​1715 isCreditCard: fix for Union Pay cards @​shreyassai123
• #​1718 isEmail: replace all dots in GMail length validation @​DasDingGehtNicht
• #​1721 isURL: add allow_fragments and allow_query_components @​cowboy-bebug
• #​1724 isISO31661Alpha2: perf @​jpaya17
• #​1730 isMagnetURI @​tux-tn
• #​1738 rtrim: remove regex to prevent ReDOS attack @​tux-tn
• #​1747 maintenance: run scripts in parallel for build and clean @​sachinraja
• #​1748 isURL: higher priority to whitelist @​deepanshu2506
• #​1751 isURL: allow url with colon and no port @​MatteoPierro
• #​1777 isUUID: fix for null version argument @​theteladras
• #​1799 isFQDN: check more special chars @​MatteoPierro
• #​1833 isURL: allow URL with an empty user @​MiguelSavignano
• #​1835 unescape: fixed bug where intermediate string contains escaped @​Marcholio
• #​1836 contains: can check that string contains seed multiple times @​Marcholio
• #​1844 docs: add CDN instructions @​luiscobits
• #​1848 isUUID: add support for validation of v1 and v2 @​theteladras
• #​1941 isEmail: add host_blacklist option @​fedeci

New and Improved Locales

• isAlpha, isAlphanumeric:

  • #​1716 hi-IN @​MiKr13
  • #​1837 fi-FI @​Marcholio

• isPassportNumber:

  • #​1656 ID @​rubiin
  • #​1714 CN @​anirudhgiri
  • #​1809 PL @​Ronqn
  • #​1810 RU @​Theta-Dev

• isPostalCode:

  • #​1788 LK @​nimanthadilz

• isIdentityCard:

  • #​1657 TH @​tithanayut
  • #​1745 PL @​wiktorwojcik112 @​fedeci @​tux-tn
  • #​1786 LK @​nimanthadilz @​tux-tn
  • #​1838 FI @​Marcholio

• isMobilePhone:

  • #​1679 de-DE @​AnnaMariaJansen
  • #​1689 vi-VN @​luisrivas
  • #​1695 #​1682 zh-CN @​laulujan @​yisibl
  • #​1734 es-VE @​islasjuanp
  • #​1746 nl-BE @​divikshrivastava
  • #​1765 es-CU @​pasagedev
  • #​1766 es-SV, @​hereje
  • #​1767 ar-PS, @​brendan-c
  • #​1769 en-BM @​HackProAIT
  • #​1770 dz-BT @​lakshayr003
  • #​1771 en-BW, @​mgndolan
  • #​1772 fr-CM @​beckettnormington
  • #​1778 en-PK @​ammad20120 @​tux-tn
  • #​1780 tk-TM, @​Husan-Eshonqulov
  • #​1784 en-GY, @​mfkrause
  • #​1785 si-LK @​Madhavi96
  • #​1797 fr-PF, @​hereje
  • #​1820 en-KI, @​c-tanner
  • #​1826 hu-HU @​danielTiringer
  • #​1834 fr-BF, en-NA @​lakshayr003
  • #​1846 tg-TJ @​mgnss

• isLicensePlate:

  • #​1565 cs-CZ @​filiptronicek
  • #​1790 fi-FI @​Marcholio

• isVAT:

  • #​1825 NL @​zeno4ever

13.6.1

• New features:

  • #​1495 isLicensePlate @​firlus

• Fixes and Enhancements:

  • #​1651 fix ReDOS vulnerabilities in isHSL and isEmail @​tux-tn
  • #​1644 isURL: Allow URLs to have only a username in the userinfo subcomponent @​jbuchmann-coosto
  • #​1633 isISIN: optimization @​bmacnaughton
  • #​1632 isIP: improved pattern for IPv4 and IPv6 @​ognjenjevremovic
  • #​1625 fix [A-z] regex range on some validators @​bmacnaughton
  • #​1620 fix docs @​prahaladbelavadi
  • #​1616 isMacAddress: improve regexes and options @​fedeci
  • #​1603 fix ReDOS vulnerabilities in isSlug and rtrim @​fedeci
  • #​1594 isIPRange: add support for IPv6 @​neilime
  • #​1577 isEAN: add support for EAN-14 @​varsubham @​tux-tn
  • #​1566 isStrongPassword: add @ as a valid symbol @​stingalleman
  • #​1548 isBtcAddress: add base58 @​ezkemboi
  • #​1546 isFQDN: numeric domain names @​tux-tn

• New and Improved locales:

  • isIdentityCard, isPassportNumber:
    • #​1595 IR @​mhf-ir @​fedeci
    • #​1583 ar-LY @​asghaier76 @​tux-tn
    • #​1574 MY @​stranger26 @​tux-tn
  • isMobilePhone:
    • #​1642 zh-CN @​Akira0705
    • #​1638 lv-LV @​AntonLukichev
    • #​1635 en-GH @​ankorGH
    • #​1604 mz-MZ @​salmento @​tux-tn
    • #​1575 vi-VN @​kyled7
    • #​1573 en-SG @​liliwei25
    • #​1554 de-CH, fr-CH, it-CH @​dinfekted
    • #​1541 #​1623 es-CO @​ezkemboi @​tux-tn
    • #​1506 ar-OM @​dev-sna
    • #​1505 pt-AO @​AdilsonFuxe
  • isPostalCode:
    • #​1628 KR @​greatSumini
  • isTaxID:
    • #​1613 pt-BR @​mschunke
    • #​1529 el-GR @​dspinellis
  • isVAT:
    • #​1536 IT @​fedeci

13.5.0 13.5.1

• New features:

  • isVAT #​1463 @​ CodingNagger
  • isTaxID #​1446 @​tplessas
  • isBase58 #​1445 @​ezkemboi
  • isStrongPassword #​1348 @​door-bell

• Fixes and Enhancements:

  • #​1486 isISO8601: add strictSeparator @​brostone51
  • #​1474 isFQDN: make more strict @​CristhianMotoche
  • #​1469 isFQDN: allow_underscore option @​gibson042
  • #​1449 isEmail: character blacklisting @​rubiin
  • #​1436 isURL: added require_port option @​yshanli
  • #​1435 isEmail: respect ignore_max_length option @​evantahler
  • #​1402 isDate: add strictMode and prevent mixed delimiters @​tux-tn
  • #​1286 isAlpha: support ignore option @​mum-never-proud

• New and Improved locales:

  • isAlpha, isAlphanumeric:
    • #​1528 multiple fixes @​tux-tn @​purell
    • #​1513 id-ID and docs update [@​bekicot](https

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.