Bump path-to-regexp on 1.x branch to resolve CVE-2024-45296

[pepijnve]

Would it be possible to bump path-to-regexp to a more recent version that contains the fixes for CVE-2024-45296. The current dependency on 2.4.0 is causing our application to be flagged by our customer's security scanning tools.

See GHSA-9wv6-86v2-598j for details.

[Legioth]

The new version is not 100% backwards compatible in some edge cases and we have evaluated that the impact of the vulnerability is quite small due to the way we're not using that library on the server.

For this reason, we're planning to create a new 2.0 branch and take that into use starting from the upcoming Vaadin 24.5 release while keeping the current version for older Vaadin versions to preserve backwards compatibility.

[EinfachHans]

Would like to see this as well, as for our company provisions we have to fix the CVE

[quincarter]

Also same here. We use Vaadin router in a few applications in our company and it is causing us to be noncompliant

[ZheSun88]

Thanks for all your feedbacks.
we are aiming to get the vaadin-router 2.0.0.rc1 out this week.

[niallriddell]

Hi - we also have to remediate this issue. It would be great to get the rc out. Is there anything we can do to help?

[ZheSun88]

Hi all, Thanks for your patience. the @vaadin/router 2.0.0-rc1 has been released finally.
the final version is planned next week, 🙏

[EinfachHans]

@ZheSun88 awesome, is there an changelog anywhere available?

[fabian-nowak-axa]

@ZheSun88 are there any plans to go, to a not releaseCandidate version soon?