search

get-convex / convex-auth

Library for built-in auth
https://labs.convex.dev/auth
48 stars 15 forks source link

npm audit: path-to-regexp outputs backtracking regular expressions #107

Open dowski opened 2 days ago

dowski commented 2 days ago

From npm audit:

path-to-regexp  7.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install path-to-regexp@8.2.0, which is a breaking change
node_modules/path-to-regexp
dowski commented 2 days ago

We use path-to-regexp in the createRouteMatcher implementation which can be used in a middleware.ts file to control which requests have auth requirements enforced.

We use that library because it's what Next.js uses under the covers for routing in middleware. Next.js also vendors an older version ofpath-to-regexp.

In order to allow the same syntax for matching routes in middleware for convex-auth and other Next.js middleware, we're going to keep the old path-to-regexp version.

See the following article from the path-to-regexp author which includes details on avoiding route patterns that can trigger the issue.

https://blakeembrey.com/posts/2024-09-web-redos/