Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity vulnerabilities / serve-handler / path-to-regexp #811

Closed
MikeMcC399 opened this issue Sep 10, 2024 · 7 comments
Closed

High severity vulnerabilities / serve-handler / path-to-regexp #811

MikeMcC399 opened this issue Sep 10, 2024 · 7 comments

Comments

@MikeMcC399
Copy link

Description

[email protected] contains 3 high severity vulnerabilities

$ npm audit
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/path-to-regexp
  serve-handler  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/serve-handler
    serve  >=7.0.0
    Depends on vulnerable versions of serve-handler
    node_modules/serve

3 high severity vulnerabilities

due to [email protected] - current latest version released Nov 1, 2022

$ npm ls path-to-regexp
[email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

Please remediate the vulnerabilities!

Library version

14.2.3

Node version

v20.17.0
This was referenced Sep 10, 2024
Closed
Closed
@MikeMcC399
Copy link
Author

Please advise if @vercel is no longer planning to maintain this repo and the dependency https://github.com/vercel/serve-handler repo.

@MikeMcC399 MikeMcC399 mentioned this issue Sep 14, 2024
Closed
@kmturley
Copy link

Adding this to package.json appears to resolve the issue
It may break some functionality as it is a major dependency upgrade

  "overrides": {
    "path-to-regexp": "^8.1.0"
  }

@MikeMcC399
Copy link
Author

@kmturley

You might also use the following for npm, which is less likely to break functionality as it uses the lowest version with a (partial) fix:

  "overrides": {
    "serve": {
      "path-to-regexp": "3.3.0"
    }

@lake-effect
Copy link

Moved to https://github.com/warren-bank/node-serve, which is a fork without this dependency.

@ederign ederign mentioned this issue Sep 24, 2024
Merged
5 tasks
@Janpot Janpot mentioned this issue Sep 26, 2024
Merged
13 tasks
@mayurvandra mayurvandra mentioned this issue Sep 26, 2024
Closed
@DafyddLlyr DafyddLlyr mentioned this issue Oct 8, 2024
Closed
@MikeMcC399
Copy link
Author

@alana-cruickshank alana-cruickshank mentioned this issue Oct 15, 2024
Closed
@AndyBitz
Copy link
Contributor

@MikeMcC399 thank you for filing this issue and @alana-cruickshank for the PR on serve-handler with the fix.

We've just published [email protected] which includes the fix.

@MikeMcC399
Copy link
Author

@AndyBitz

Thank you for sorting out these issues!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

patch: Patch path-to-regexp security vulnerability alana-cruickshank/serve
4 participants
@kmturley @AndyBitz @lake-effect @MikeMcC399