CVE on path-to-regex

[L4ngu0r]

Hello, our audit reported a CVE on path-to-regex, can you update this deps? It is known on your side?

https://github.com/advisories/GHSA-9wv6-86v2-598j

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ path-to-regexp outputs backtracking regular            │
│                     │ expressions                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ path-to-regexp                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.1.10                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.1.10                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps/front > dd-trace@5.17.0 > path-to-regexp@0.1.7    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-9wv6-86v2-598j      │
└─────────────────────┴────────────────────────────────────────────────────────┘

[BellaMay95]

Following. Looks like the version got bumped here just a little while ago so hopefully the new version gets released here soon. :)

[L4ngu0r]

PR merged https://github.com/DataDog/dd-trace-js/pull/4664 waiting for a release

[LucasHaddad]

is it being released soon? anything we can help with in this matter?

[thiagoribeir015]

Hi, any updates on a release here @L4ngu0r? 🙇🏻

[L4ngu0r]

@thiagoribeir015 I'm not a maintainer here :-) just a user waiting for them to push a new release

[JasonKleban]

bump

[tlhunter]

This should be available in v5.23.0 and v4.47.0. Is anyone here still having an issue?

[L4ngu0r]

Fix on our side with the v5.23.0 thanks 🙏