Vulnerable path-to-regexp dependency version

[sapostol]

Hello!

We have msw installed in one of our react built repo and in the past 3 weeks we've been seeing a High risk vulnerability detected by the GitLab SBoM Vulnerability Scanner which we run regularly on our pipeline. I was wondering if somebody can help in updating the "path-to-regexp" dependency library version from 6.3.0 to 8.0.0, hopefully no breaking changes will occur on this update. Below I'll provide some more details on how the security scan messgae looks like:

path-to-regexp outputs backtracking regular expressions

Description

In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance.

• **Severity:**High
• Tool: Dependency Scanning
• Scanner: GitLab SBoM Vulnerability Scanner

Location

• File: [package-lock.json]

Solution

Upgrade to versions 0.1.10, 8.0.0 or above.

Evidence

Vulnerable Package

path-to-regexp:6.3.0

[kettanaito]

Hi! Thanks for raising this. This has been discussed and solved before, please see #2304 (comment) and the linked issues. Thanks.

[sapostol]

Hello! I don't think the issue above has been resolved. I checked all the other discussions you mentioned and their comments and even though some patches and updates were made on both path to regexp and express packages to get rid of the vulnerability I mentioned, the msw package still has a direct dependency on the 6.3.0 vulnerable version of path to regexp and I believe this needs to be updated on the msw package side:

[kettanaito]

I expect path-to-regexp have fixed it in the range complying with ^6.3.0 (that's not a direct dependency, it's "any patches included"). Can you confirm if that's the case?

I definitely don't mind bumping the range if we stay within the same major. v7 introduces some breaking changes I don't have the capacity to address at the moment though. You can open a pull request to bump the version, I'd be happy to have it merged.