mswjs / msw

Industry standard API mocking for JavaScript.
https://mswjs.io
MIT License
15.97k stars 519 forks source link

chore(upgrade): upgrade `path-to-regexp` #2287

Closed markmssd closed 2 months ago

markmssd commented 2 months ago

Related: https://github.com/mswjs/msw/issues/2270

This PR upgrades path-to-regexp to latest version 8.

path-to-regexp v8 has breaking changes, see https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0.

In this PR, I've attempted to make the change transparent to msw users.

kettanaito commented 2 months ago

Hi, @markmssd. Thanks for opening this. Updating path-to-regexp requires a bit more thought. You are introducing breaking changes to how wildcard params are exposed.

I will close this pull request because the path-to-regexp vulnerability was backported to the version range used by MSW right now. #2285 has fixed the issue.

markmssd commented 2 months ago

Gotcha! However the backporting didn't fully work it seems, as I brought up here: https://github.com/pillarjs/path-to-regexp/issues/323#issuecomment-2356440172. Let's hope something can be done to fully fix it.

kettanaito commented 2 months ago

Hope so as well. Critical vulnerabilities are good candidates for backports.

You mustn't ship MSW in production, to begin with. Critical vulnerabilities from dev dependencies have a close-to-non-existent effect on your product. But anyone is welcome to refactor MSW into newer path-to-regexp while keeping the existing tests intact.

markmssd commented 2 months ago

Okay Snyk got updated too now: https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106 🎉

How to fix?
Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.