Unable to resolve ajv <6.14.0 audit warning without breaking Power BI visual build (conflict between ajv v6 and v8)

[ashendra-ifour]

I am facing a dependency issue in a Power BI custom visual project related to ajv < 6.14.0 being flagged by npm audit.

Project Setup
The project uses:
powerbi-visuals-tools v7.x
powerbi-visuals-webpack-plugin
terser-webpack-plugin
schema-utils

Node.js: 20.x
npm: 8+

Problem

npm audit reports:

ajv < 6.14.0
Severity: moderate
ReDoS via $data option

The vulnerable version is pulled transitively by:

powerbi-visuals-tools
→ powerbi-visuals-webpack-plugin
→ ajv (v6.x)

Running:

npm audit fix

suggests downgrading powerbi-visuals-tools to 1.7.2, which is a breaking change and not acceptable.

Attempted Solution

I tried using npm overrides:

"overrides": {
"powerbi-visuals-tools": {
"ajv": "^6.14.0"
}
}

However, this causes build failure during:

npx pbiviz package

with the error:

MODULE_NOT_FOUND
... terser-webpack-plugin → ajv-keywords → ajv

It appears that:

Power BI tooling depends on ajv v6

Webpack ecosystem depends on ajv v8

Forcing overrides breaks module resolution between major versions

Questions

Is upgrading from ajv <6.14.0 to 6.14.0 within a v6 dependency tree considered safe in this scenario?
Is there a recommended approach when multiple ajv major versions (v6 and v8) must coexist in a webpack-based build?
Is the reported ReDoS vulnerability relevant in build-time schema validation (webpack configuration validation), or only in runtime JSON validation contexts?

Currently, there seems to be no way to satisfy both:

npm audit fix

successful pbiviz package

without breaking the toolchain.

Any guidance would be appreciated.

Thank you.