[fix] npm audit reporting high severity vulnerability with @koa/router 13.0.0

[cduff]

Steps to reproduce

$ npm i @koa/router

added 9 packages in 429ms

$ npm audit
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
node_modules/path-to-regexp
  @koa/router  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/@koa/router

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Solution

Fix by upgrading @koa/router to depend on later version of path-to-regexp?

[ManojKeer]

Facing the same issue since yesterday. koa-router(12.0.1) is using path-to-regexp of version 6.2.1. I am getting build errors to upgrade the path-to-regexp to latest. How to fix this issue? Will koa-router publish a latest version with patched path-to-regexp version?

[iambumblehead]

➕

[iambumblehead]

related pillarjs/path-to-regexp#324

[iambumblehead]

locally incrementing to 6.3.0 does not satisfy the warning

path-to-regexp  4.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/path-to-regexp

[mschfh]

locally incrementing to 6.3.0 does not satisfy the warning

The advisory wasn't updated yet to include the 6.x patched version: GHSA-9wv6-86v2-598j

[moez-qlik]

Leaving this bug unfixed could potentially break our projects that rely on Koa Router.
#185

[panva]

Leaving this bug unfixed could potentially break our projects that rely on Koa Router. #185

That's unrelated to the path-to-regexp CVE. path-to-regexp 6.3.0 was released with the fix backport. Meaning that the router is no longer vulnerable. The advisory has not been updated yet to reflect the fixed version.

[3imed-jaberi]

Thank you @mschfh for your contribution by bumping path-to-regexp dependency to v6.3.0. It should fix the vulnerability (+1 @panva).

@titanism could you please publish the next release v13.1.0 with latest commit on the master branch. And please publish v12.0.2 from this branch (v12.0.2) to prevent @moez-qlik marked issue here and the potential issue related to path params.

@moez-qlik, if really it's a block for your project, you can use patch-package and patch koa router with [email protected].

I will try to find a slot to work on #185!

[titanism]

I also merged #189

[titanism]

v13.0.1 released https://github.com/koajs/router/releases/tag/v13.0.1

[moez-qlik]

@titanism can you release the Vulnerablity fix on v12.0.2?

[3imed-jaberi]

I apologize for the delayed response. Merging PR #189 is a significant change that requires a major version bump (v14), making it a risky step. That’s why I didn’t merge it upon review and have assigned myself to the review process.

Additionally, I think we should stick with [email protected] until we can ensure that v8 doesn't introduce any unexpected issues with the current implementation. We should also update the documentation to reflect any new behavior.

To move forward, I propose the following steps:

1. Move the current master code to a pre-release branch for v14.
2. Revert or remove all commits related to path-to-regex@8+ on master branch.
3. Publish the next minor or patch release (v13.1.0 or v13.0.2) based on this cleanup.
4. Publish the v12.0.2.
5. Deprecate the current v13.0.1 on npm

Please @titanism DM on our space 😉!

[3imed-jaberi]

@moez-qlik I working with @titanism to deliver the correct version and soon will find it. In the meanwhile, you can try the patch-package in my comment here.

[3imed-jaberi]

@moez-qlik v12.0.2 published 🎉!

[moez-qlik]

@moez-qlik v12.0.2 published 🎉!

thank you @3imed-jaberi <3