Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(upgrade): upgrade path-to-regexp #2287

Closed
wants to merge 2 commits into from

Conversation

markmssd
Copy link
Contributor

Related: #2270

This PR upgrades path-to-regexp to latest version 8.

path-to-regexp v8 has breaking changes, see https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0.

In this PR, I've attempted to make the change transparent to msw users.

@kettanaito
Copy link
Member

Hi, @markmssd. Thanks for opening this. Updating path-to-regexp requires a bit more thought. You are introducing breaking changes to how wildcard params are exposed.

I will close this pull request because the path-to-regexp vulnerability was backported to the version range used by MSW right now. #2285 has fixed the issue.

@kettanaito kettanaito closed this Sep 17, 2024
@markmssd
Copy link
Contributor Author

Gotcha! However the backporting didn't fully work it seems, as I brought up here: pillarjs/path-to-regexp#323 (comment). Let's hope something can be done to fully fix it.

@kettanaito
Copy link
Member

Hope so as well. Critical vulnerabilities are good candidates for backports.

You mustn't ship MSW in production, to begin with. Critical vulnerabilities from dev dependencies have a close-to-non-existent effect on your product. But anyone is welcome to refactor MSW into newer path-to-regexp while keeping the existing tests intact.

@markmssd
Copy link
Contributor Author

Okay Snyk got updated too now: https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106 🎉

How to fix?
Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants