A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.
Patches
For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Version 0.1.10 adds backtracking protection when a custom regular expression is not provided, so it's still possible to manually create a ReDoS vulnerability if you are providing custom regular expressions.
Version 7.0.0 can enable strict: true and get an error when the regular expression might be bad.
Version 8.0.0 removes all features that can cause a ReDoS and stops exposing the regular expression directly.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.
Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
pillarjs/path-to-regexp (path-to-regexp)
### [`v8.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0): Simpler API
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v7.2.0...v8.0.0)
Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.
**Added**
- Adds key names to wildcards using `*name` syntax, aligns with `:` behavior but using an asterisk instead
**Changed**
- Removes group suffixes of `?`, `+`, and `*` - only optional exists moving forward (use wildcards for `+`, `{*foo}` for `*`)
- Parameter names follow JS identifier rules and allow unicode characters
**Added**
- Parameter names can now be quoted, e.g. `:"foo-bar"`
**Removed**
- Removes `loose` mode
- Removes regular expression overrides of parameters
### [`v7.2.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v7.2.0): Support array inputs (again)
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v7.1.0...v7.2.0)
**Added**
- Support array inputs for `match` and `pathToRegexp` [`3fdd88f`](https://redirect.github.com/pillarjs/path-to-regexp/commit/3fdd88f)
### [`v7.1.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0): Strict mode
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v7.0.0...v7.1.0)
**Added**
- Adds a `strict` option to detect potential ReDOS issues
**Fixed**
- Fixes separator to default to `suffix + prefix` when not specified
- Allows separator to be undefined in `TokenData`
- This is only relevant if you are building `TokenData` manually, previously `parse` filled it in automatically
**Comments**
- I highly recommend enabling `strict: true` and I'm *probably* releasing a V8 with it enabled by default ASAP as a necessary security mitigation
### [`v7.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v7.0.0): Wildcard, unicode, and modifier changes
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.2.2...v7.0.0)
Hi all! There's a few major breaking changes in this release so read carefully.
**Breaking changes:**
- The function returned by `compile` only accepts strings as values (i.e. no numbers, use `String(value)` before compiling a path)
- For repeated values, when `encode !== false`, it must be an array of strings
- Parameter names can contain all unicode identifier characters (defined as regex `\p{XID_Continue}`).
- Modifiers (`?`, `*`, `+`) must be used after a param explicitly wrapped in `{}`
- No more implied prefix of `/` or `.`
- No support for arrays or regexes as inputs
- The wildcard (standalone `*`) has been added back and matches Express.js expected behavior
- Removed `endsWith` option
- Renamed `strict: true` to `trailing: false`
- Reserved `;`, `,`, `!`, and `@` for future use-cases
- Removed `tokensToRegexp`, `tokensToFunction` and `regexpToFunction` in favor of simplifying exports
- Enable a "loose" mode by default, so `/` can be repeated multiple times in a matched path (i.e. `/foo` works like `//foo`, etc)
- `encode` and `decode` no longer receive the token as the second parameter
- Removed the ESM + CommonJS dual package in favor of only one CommonJS supported export
- Minimum JS support for ES2020 (previous ES2015)
- Encode defaults to `encodeURIComponent` and decode defaults to `decodeURIComponent`
**Added:**
- Adds `encodePath` to fix an issue around `encode` being used for both path and parameters (the path and parameter should be encoded slightly differently)
- Adds `loose` as an option to support arbitrarily matching the delimiter in paths, e.g. `foo/bar` and `foo///bar` should work the same
- Allow `encode` and `decode` to be set to `false` which skips all processing of the parameters input/output
- All remaining methods support `TokenData` (exported, returned by `parse`) as input
- This should be useful if you are programmatically building paths to match or want to avoid parsing multiple times
**Requests for feedback:**
- Requiring `{}` is an obvious drawback but I'm seeking feedback on whether it helps make path behavior clearer
- Related: Removing `/` and `.` as implicit prefixes
- Removing array and regex support is to reduce the overall package size for things many users don't need
- Unicode IDs are added to align more closely with browser URLPattern behavior, which uses JS identifiers
### [`v6.2.2`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.2.2): Updated README
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.2.1...v6.2.2)
No API changes. Documentation only release.
**Changed**
- Fix readme example [`c7ec332`](https://redirect.github.com/pillarjs/path-to-regexp/commit/c7ec332)
- Update shield URL [`e828000`](https://redirect.github.com/pillarjs/path-to-regexp/commit/e828000)
### [`v6.2.1`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.2.1): Fix matching `:name*` parameter
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.2.0...v6.2.1)
**Fixed**
- Fix invalid matching of `:name*` parameter ([#261](https://redirect.github.com/pillarjs/path-to-regexp/issues/261)) [`762bc6b`](https://redirect.github.com/pillarjs/path-to-regexp/commit/762bc6b)
- Compare delimiter string over regexp [`86baef8`](https://redirect.github.com/pillarjs/path-to-regexp/commit/86baef8)
**Added**
- New example in documentation ([#256](https://redirect.github.com/pillarjs/path-to-regexp/issues/256)) [`ae9e576`](https://redirect.github.com/pillarjs/path-to-regexp/commit/ae9e576)
- Update demo link ([#250](https://redirect.github.com/pillarjs/path-to-regexp/issues/250)) [`77df638`](https://redirect.github.com/pillarjs/path-to-regexp/commit/77df638)
- Update README encode example [`b39edd4`](https://redirect.github.com/pillarjs/path-to-regexp/commit/b39edd4)
### [`v6.2.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.2.0): Named Capturing Groups
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.1.0...v6.2.0)
**Added**
- Support named capturing groups for RegExps ([#225](https://redirect.github.com/pillarjs/path-to-regexp/issues/225))
**Fixed**
- Update `strict` flag documentation ([#227](https://redirect.github.com/pillarjs/path-to-regexp/issues/227))
- Ignore test files when bundling ([#220](https://redirect.github.com/pillarjs/path-to-regexp/issues/220))
### [`v6.1.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.1.0): Use `/#?` as Default Delimiter
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.0.0...v6.1.0)
**Fixed**
- Use `/#?` as default delimiter to avoid matching on query or fragment parameters
- If you are matching non-paths (e.g. hostnames), you can adjust `delimiter: '.'`
### [`v6.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.0.0): Custom Prefix and Suffix Groups
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v5.0.0...v6.0.0)
**Note:** The path syntax has been stabilized with this release, no breaking changes in paths is expected.
This release reverts the prefix behavior added in v3 back to the behavior seen in v2. For the most part, path matching is backward compatible with v2 with these enhancements:
1. Support for nested non-capturing groups in regexp, e.g. `/(abc(?=d))`
2. Support for custom prefix and suffix groups using `/{abc(.*)def}`
3. Tokens in an unexpected position will throw an error
- Paths like `/test(foo` previously worked treating `(` as a literal character, now it expects `(` to be closed and is treated as a group
- You can escape the character for the previous behavior, e.g. `/test\(foo`
**Changed**
- Revert using any character as prefix, support `prefixes` option to configure this (starts as `/.` which acts like every version since 0.x again)
- Add support for `{}` to capture prefix/suffix explicitly, enables custom use-cases like `/:attr1{-:attr2}?`
### [`v5.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v5.0.0): Remove Default Encode URI Component
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.5...v5.0.0)
No changes to path rules since 3.x, except support for nested RegEx parts in 4.x.
**Changed**
- Rename `RegexpOptions` interface to `TokensToRegexpOptions`
- Remove `normalizePathname` from library, document solution in README
- Encode using identity function as default, not `encodeURIComponent`
### [`v4.0.5`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.5): Decode URI
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.4...v4.0.5)
**Removed**
- Remove `whitelist` in favor of `decodeURI` (advanced behavior can happen outside `path-to-regexp`)
### [`v4.0.4`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.4): Remove `String#normalize`
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.3...v4.0.4)
**Fixed**
- Remove usage of `String.prototype.normalize` to continue supporting IE
### [`v4.0.3`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.3): Normalize Path Whitelist
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.2...v4.0.3)
**Added**
- Add normalize whitelist of characters (defaults to `/%.-`)
### [`v4.0.2`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.2): Allow `RegexpOptions` in `match`
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.1...v4.0.2)
**Fixed**
- Allow `RegexpOptions` in `match(...)` function
### [`v4.0.1`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.1): Fix Spelling of Regexp
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.0...v4.0.1)
**Fixed**
- Normalize `regexp` spelling across 4.x
### [`v4.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.0): ES2015 Package for Bundlers
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.3.0...v4.0.0)
All path rules are backward compatible with 3.x, except for nested `()` and other RegEx special characters that were previously ignored.
**Changed**
- Export names have changed to support ES2015 modules in bundlers
- `match` does not default to `decodeURIComponent`
**Added**
- New `normalizePathname` utility for supporting unicode paths in libraries
- Support nested non-capturing groups within parameters
- Add tree-shaking (via ES2015 modules) for webpack and other bundlers
### [`v3.3.0`](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.2.0...2eb12934fc1f15d3b9bad010709717fc53a14b8e)
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.2.0...v3.3.0)
### [`v3.2.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v3.2.0): Match Function
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.1.0...v3.2.0)
**Added**
- Add native `match` function to library
### [`v3.1.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v3.1.0): Validate and sensitive options
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.0.0...v3.1.0)
- Add `sensitive` option for `tokensToFunction` ([#191](https://redirect.github.com/pillarjs/path-to-regexp/issues/191))
- Add `validate` option to path functions ([#178](https://redirect.github.com/pillarjs/path-to-regexp/issues/178))
### [`v3.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/blob/HEAD/History.md#300--2019-01-13)
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v2.4.0...v3.0.0)
- Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. `/:att1-:att2-:att3-:att4-:att5`)
- Remove `partial` support, prefer escaping the prefix delimiter explicitly (e.g. `\\/(apple-)?icon-:res(\\d+).png`)
### [`v2.4.0`](https://redirect.github.com/pillarjs/path-to-regexp/blob/HEAD/History.md#240--2018-08-26)
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v2.3.0...v2.4.0)
- Support `start` option to disable anchoring from beginning of the string
### [`v2.3.0`](https://redirect.github.com/pillarjs/path-to-regexp/blob/HEAD/History.md#230--2018-08-20)
[Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v2.2.1...v2.3.0)
- Use `delimiter` when processing repeated matching groups (e.g. `foo/bar` has no prefix, but has a delimiter)
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
2.2.1->8.0.0GitHub Vulnerability Alerts
CVE-2024-45296
Impact
A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (
.). For example,/:a-:b.Patches
For users of 0.1, upgrade to
0.1.10. All other users should upgrade to8.0.0.Version 0.1.10 adds backtracking protection when a custom regular expression is not provided, so it's still possible to manually create a ReDoS vulnerability if you are providing custom regular expressions.
Version 7.0.0 can enable
strict: trueand get an error when the regular expression might be bad.Version 8.0.0 removes all features that can cause a ReDoS and stops exposing the regular expression directly.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change
/:a-:bto/:a-:b([^-/]+).If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.
Details
Using
/:a-:bwill produce the regular expression/^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as/a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the/aat the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the:a-:bon the repeated 8,000-a.Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.
References
Release Notes
pillarjs/path-to-regexp (path-to-regexp)
### [`v8.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0): Simpler API [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v7.2.0...v8.0.0) Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward. **Added** - Adds key names to wildcards using `*name` syntax, aligns with `:` behavior but using an asterisk instead **Changed** - Removes group suffixes of `?`, `+`, and `*` - only optional exists moving forward (use wildcards for `+`, `{*foo}` for `*`) - Parameter names follow JS identifier rules and allow unicode characters **Added** - Parameter names can now be quoted, e.g. `:"foo-bar"` **Removed** - Removes `loose` mode - Removes regular expression overrides of parameters ### [`v7.2.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v7.2.0): Support array inputs (again) [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v7.1.0...v7.2.0) **Added** - Support array inputs for `match` and `pathToRegexp` [`3fdd88f`](https://redirect.github.com/pillarjs/path-to-regexp/commit/3fdd88f) ### [`v7.1.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0): Strict mode [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v7.0.0...v7.1.0) **Added** - Adds a `strict` option to detect potential ReDOS issues **Fixed** - Fixes separator to default to `suffix + prefix` when not specified - Allows separator to be undefined in `TokenData` - This is only relevant if you are building `TokenData` manually, previously `parse` filled it in automatically **Comments** - I highly recommend enabling `strict: true` and I'm *probably* releasing a V8 with it enabled by default ASAP as a necessary security mitigation ### [`v7.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v7.0.0): Wildcard, unicode, and modifier changes [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.2.2...v7.0.0) Hi all! There's a few major breaking changes in this release so read carefully. **Breaking changes:** - The function returned by `compile` only accepts strings as values (i.e. no numbers, use `String(value)` before compiling a path) - For repeated values, when `encode !== false`, it must be an array of strings - Parameter names can contain all unicode identifier characters (defined as regex `\p{XID_Continue}`). - Modifiers (`?`, `*`, `+`) must be used after a param explicitly wrapped in `{}` - No more implied prefix of `/` or `.` - No support for arrays or regexes as inputs - The wildcard (standalone `*`) has been added back and matches Express.js expected behavior - Removed `endsWith` option - Renamed `strict: true` to `trailing: false` - Reserved `;`, `,`, `!`, and `@` for future use-cases - Removed `tokensToRegexp`, `tokensToFunction` and `regexpToFunction` in favor of simplifying exports - Enable a "loose" mode by default, so `/` can be repeated multiple times in a matched path (i.e. `/foo` works like `//foo`, etc) - `encode` and `decode` no longer receive the token as the second parameter - Removed the ESM + CommonJS dual package in favor of only one CommonJS supported export - Minimum JS support for ES2020 (previous ES2015) - Encode defaults to `encodeURIComponent` and decode defaults to `decodeURIComponent` **Added:** - Adds `encodePath` to fix an issue around `encode` being used for both path and parameters (the path and parameter should be encoded slightly differently) - Adds `loose` as an option to support arbitrarily matching the delimiter in paths, e.g. `foo/bar` and `foo///bar` should work the same - Allow `encode` and `decode` to be set to `false` which skips all processing of the parameters input/output - All remaining methods support `TokenData` (exported, returned by `parse`) as input - This should be useful if you are programmatically building paths to match or want to avoid parsing multiple times **Requests for feedback:** - Requiring `{}` is an obvious drawback but I'm seeking feedback on whether it helps make path behavior clearer - Related: Removing `/` and `.` as implicit prefixes - Removing array and regex support is to reduce the overall package size for things many users don't need - Unicode IDs are added to align more closely with browser URLPattern behavior, which uses JS identifiers ### [`v6.2.2`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.2.2): Updated README [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.2.1...v6.2.2) No API changes. Documentation only release. **Changed** - Fix readme example [`c7ec332`](https://redirect.github.com/pillarjs/path-to-regexp/commit/c7ec332) - Update shield URL [`e828000`](https://redirect.github.com/pillarjs/path-to-regexp/commit/e828000) ### [`v6.2.1`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.2.1): Fix matching `:name*` parameter [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.2.0...v6.2.1) **Fixed** - Fix invalid matching of `:name*` parameter ([#261](https://redirect.github.com/pillarjs/path-to-regexp/issues/261)) [`762bc6b`](https://redirect.github.com/pillarjs/path-to-regexp/commit/762bc6b) - Compare delimiter string over regexp [`86baef8`](https://redirect.github.com/pillarjs/path-to-regexp/commit/86baef8) **Added** - New example in documentation ([#256](https://redirect.github.com/pillarjs/path-to-regexp/issues/256)) [`ae9e576`](https://redirect.github.com/pillarjs/path-to-regexp/commit/ae9e576) - Update demo link ([#250](https://redirect.github.com/pillarjs/path-to-regexp/issues/250)) [`77df638`](https://redirect.github.com/pillarjs/path-to-regexp/commit/77df638) - Update README encode example [`b39edd4`](https://redirect.github.com/pillarjs/path-to-regexp/commit/b39edd4) ### [`v6.2.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.2.0): Named Capturing Groups [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.1.0...v6.2.0) **Added** - Support named capturing groups for RegExps ([#225](https://redirect.github.com/pillarjs/path-to-regexp/issues/225)) **Fixed** - Update `strict` flag documentation ([#227](https://redirect.github.com/pillarjs/path-to-regexp/issues/227)) - Ignore test files when bundling ([#220](https://redirect.github.com/pillarjs/path-to-regexp/issues/220)) ### [`v6.1.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.1.0): Use `/#?` as Default Delimiter [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v6.0.0...v6.1.0) **Fixed** - Use `/#?` as default delimiter to avoid matching on query or fragment parameters - If you are matching non-paths (e.g. hostnames), you can adjust `delimiter: '.'` ### [`v6.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v6.0.0): Custom Prefix and Suffix Groups [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v5.0.0...v6.0.0) **Note:** The path syntax has been stabilized with this release, no breaking changes in paths is expected. This release reverts the prefix behavior added in v3 back to the behavior seen in v2. For the most part, path matching is backward compatible with v2 with these enhancements: 1. Support for nested non-capturing groups in regexp, e.g. `/(abc(?=d))` 2. Support for custom prefix and suffix groups using `/{abc(.*)def}` 3. Tokens in an unexpected position will throw an error - Paths like `/test(foo` previously worked treating `(` as a literal character, now it expects `(` to be closed and is treated as a group - You can escape the character for the previous behavior, e.g. `/test\(foo` **Changed** - Revert using any character as prefix, support `prefixes` option to configure this (starts as `/.` which acts like every version since 0.x again) - Add support for `{}` to capture prefix/suffix explicitly, enables custom use-cases like `/:attr1{-:attr2}?` ### [`v5.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v5.0.0): Remove Default Encode URI Component [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.5...v5.0.0) No changes to path rules since 3.x, except support for nested RegEx parts in 4.x. **Changed** - Rename `RegexpOptions` interface to `TokensToRegexpOptions` - Remove `normalizePathname` from library, document solution in README - Encode using identity function as default, not `encodeURIComponent` ### [`v4.0.5`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.5): Decode URI [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.4...v4.0.5) **Removed** - Remove `whitelist` in favor of `decodeURI` (advanced behavior can happen outside `path-to-regexp`) ### [`v4.0.4`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.4): Remove `String#normalize` [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.3...v4.0.4) **Fixed** - Remove usage of `String.prototype.normalize` to continue supporting IE ### [`v4.0.3`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.3): Normalize Path Whitelist [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.2...v4.0.3) **Added** - Add normalize whitelist of characters (defaults to `/%.-`) ### [`v4.0.2`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.2): Allow `RegexpOptions` in `match` [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.1...v4.0.2) **Fixed** - Allow `RegexpOptions` in `match(...)` function ### [`v4.0.1`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.1): Fix Spelling of Regexp [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v4.0.0...v4.0.1) **Fixed** - Normalize `regexp` spelling across 4.x ### [`v4.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v4.0.0): ES2015 Package for Bundlers [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.3.0...v4.0.0) All path rules are backward compatible with 3.x, except for nested `()` and other RegEx special characters that were previously ignored. **Changed** - Export names have changed to support ES2015 modules in bundlers - `match` does not default to `decodeURIComponent` **Added** - New `normalizePathname` utility for supporting unicode paths in libraries - Support nested non-capturing groups within parameters - Add tree-shaking (via ES2015 modules) for webpack and other bundlers ### [`v3.3.0`](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.2.0...2eb12934fc1f15d3b9bad010709717fc53a14b8e) [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.2.0...v3.3.0) ### [`v3.2.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v3.2.0): Match Function [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.1.0...v3.2.0) **Added** - Add native `match` function to library ### [`v3.1.0`](https://redirect.github.com/pillarjs/path-to-regexp/releases/tag/v3.1.0): Validate and sensitive options [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v3.0.0...v3.1.0) - Add `sensitive` option for `tokensToFunction` ([#191](https://redirect.github.com/pillarjs/path-to-regexp/issues/191)) - Add `validate` option to path functions ([#178](https://redirect.github.com/pillarjs/path-to-regexp/issues/178)) ### [`v3.0.0`](https://redirect.github.com/pillarjs/path-to-regexp/blob/HEAD/History.md#300--2019-01-13) [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v2.4.0...v3.0.0) - Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. `/:att1-:att2-:att3-:att4-:att5`) - Remove `partial` support, prefer escaping the prefix delimiter explicitly (e.g. `\\/(apple-)?icon-:res(\\d+).png`) ### [`v2.4.0`](https://redirect.github.com/pillarjs/path-to-regexp/blob/HEAD/History.md#240--2018-08-26) [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v2.3.0...v2.4.0) - Support `start` option to disable anchoring from beginning of the string ### [`v2.3.0`](https://redirect.github.com/pillarjs/path-to-regexp/blob/HEAD/History.md#230--2018-08-20) [Compare Source](https://redirect.github.com/pillarjs/path-to-regexp/compare/v2.2.1...v2.3.0) - Use `delimiter` when processing repeated matching groups (e.g. `foo/bar` has no prefix, but has a delimiter)Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.