npm audit: path-to-regexp outputs backtracking regular expressions #107

dowski · 2024-10-23T19:06:27Z

From npm audit:

path-to-regexp  7.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/path-to-regexp

The text was updated successfully, but these errors were encountered:

dowski · 2024-10-23T19:16:35Z

We use path-to-regexp in the createRouteMatcher implementation which can be used in a middleware.ts file to control which requests have auth requirements enforced.

We use that library because it's what Next.js uses under the covers for routing in middleware. Next.js also vendors an older version ofpath-to-regexp.

In order to allow the same syntax for matching routes in middleware for convex-auth and other Next.js middleware, we're going to keep the old path-to-regexp version.

See the following article from the path-to-regexp author which includes details on avoiding route patterns that can trigger the issue.

https://blakeembrey.com/posts/2024-09-web-redos/

dowski mentioned this issue Nov 5, 2024

Update to latest path-to-regexp #101

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

npm audit: path-to-regexp outputs backtracking regular expressions #107

npm audit: path-to-regexp outputs backtracking regular expressions #107

dowski commented Oct 23, 2024

dowski commented Oct 23, 2024

npm audit: path-to-regexp outputs backtracking regular expressions #107

npm audit: path-to-regexp outputs backtracking regular expressions #107

Comments

dowski commented Oct 23, 2024

dowski commented Oct 23, 2024