Add security fix for ReDoS vulnerability in emoji action and update release notes

Co-authored-by: Hiroya Fujinami <[email protected]>

Author: fabian-hiller

library/CHANGELOG.md

@@ -10,6 +10,7 @@ All notable changes to the library will be documented in this file.
 - Add `isbn` validation action to validate ISBN-10 and ISBN-13 strings (pull request #1097)
 - Add exports for `RawCheckAddIssue`, `RawCheckContext`, `RawCheckIssueInfo`, `RawTransformAddIssue`, `RawTransformContext` and `RawTransformIssueInfo` types for better developer experience with `rawCheck` and `rawTransform` actions (pull request #1359)
 - Change build step to tsdown
+- Fix ReDoS vulnerability in `EMOJI_REGEX` used by `emoji` action
 
 ## v1.1.0 (May 06, 2025)
 

website/src/routes/blog/(posts)/valibot-v1.2-release-notes/index.mdx

@@ -14,6 +14,8 @@ import { Link } from '~/components';
 
 Valibot v1.2 is out! This version adds powerful transformation actions for type coercion, new metadata features to improve AI tool integration, and ISBN validation for library management systems. These additions make it easier to work with forms, APIs, and AI-powered applications while maintaining Valibot's modular design and minimal bundle size.
 
+> This release also includes an important security fix for a ReDoS vulnerability in the <Link href="/api/emoji/">`emoji`</Link> action. If you're using this action, we strongly recommend upgrading as soon as possible.
+
 This is our second minor release since v1, and we continue to prioritize stability and quality through our comprehensive test coverage. The work we've invested in maintaining robust tests continues to pay off with fewer bugs and a more reliable library. Before diving into the new features, I want to thank our amazing contributors who made this release possible.
 
 ## Contributors and acknowledgments
@@ -24,7 +26,7 @@ We're also excited to welcome [LambdaTest](https://lambdatest.com/) as a new par
 
 ## Type coercion made simple
 
-One of the most requested features has been a straightforward way to coerce types in validation pipelines. Whether you're working with form data that arrives as strings, URL parameters, or API responses, type coercion is essential. With Valibot v1.2, we're introducing five new transformation actions that make this dead simple: <Link href="/api/toBigint/">`toBigint`</Link>, <Link href="/api/toBoolean/">`toBoolean`</Link>, <Link href="/api/toDate/">`toDate`</Link>, <Link href="/api/toNumber/">`toNumber`</Link>, and <Link href="/api/toString/">`toString`</Link>.
+One requested features has been a straightforward way to coerce types in validation pipelines. Whether you're working with form data that arrives as strings, URL parameters, or API responses, type coercion is essential. With Valibot v1.2, we're introducing five new transformation actions that make this dead simple: <Link href="/api/toBigint/">`toBigint`</Link>, <Link href="/api/toBoolean/">`toBoolean`</Link>, <Link href="/api/toDate/">`toDate`</Link>, <Link href="/api/toNumber/">`toNumber`</Link>, and <Link href="/api/toString/">`toString`</Link>.
 
 These actions use JavaScript's native coercion functions (`BigInt()`, `Boolean()`, `Date()`, `Number()`, `String()`) under the hood, but with added error handling to catch edge cases. For example, `toNumber` checks for `NaN` after conversion, and `toDate` validates that the resulting date is valid.
 
@@ -116,6 +118,12 @@ const BookSchema = v.object({
 
 The <Link href="/api/isbn/">`isbn`</Link> action accepts hyphens and spaces as separators and validates the checksum to ensure the ISBN is mathematically correct. This is a great example of how domain-specific validation can be added to Valibot while maintaining our modular architecture and small bundle size.
 
+## Security fix: ReDoS vulnerability
+
+This release also includes an important security fix for a ReDoS (Regular Expression Denial of Service) vulnerability in the `EMOJI_REGEX` pattern used by the <Link href="/api/emoji/">`emoji`</Link> action. If you're using the <Link href="/api/emoji/">`emoji`</Link> action in your application, we strongly recommend upgrading to v1.2 as soon as possible.
+
+The vulnerability could allow an attacker to cause excessive CPU usage by providing specially crafted input strings. We've updated the regex pattern to eliminate this risk while maintaining the same validation functionality. Thank you to [@makenowjust](https://github.com/makenowjust) for finding and responsibly disclosing this issue.
+
 ## Faster builds with tsdown
 
 While this isn't a user-facing feature, we've switched our build process from tsup to [tsdown](https://www.npmjs.com/package/tsdown). Built on top of [Rolldown](https://rolldown.rs/)—which actually uses Valibot for validation—tsdown speeds up our build times, making development and releases faster. If we made no mistakes you won't notice any differences in functionality.