Closed markmssd closed 2 months ago
Hi, @markmssd. Thanks for opening this. Updating path-to-regexp
requires a bit more thought. You are introducing breaking changes to how wildcard params
are exposed.
I will close this pull request because the path-to-regexp
vulnerability was backported to the version range used by MSW right now. #2285 has fixed the issue.
Gotcha! However the backporting didn't fully work it seems, as I brought up here: https://github.com/pillarjs/path-to-regexp/issues/323#issuecomment-2356440172. Let's hope something can be done to fully fix it.
Hope so as well. Critical vulnerabilities are good candidates for backports.
You mustn't ship MSW in production, to begin with. Critical vulnerabilities from dev dependencies have a close-to-non-existent effect on your product. But anyone is welcome to refactor MSW into newer path-to-regexp while keeping the existing tests intact.
Okay Snyk got updated too now: https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106 🎉
How to fix?
Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.
Related: https://github.com/mswjs/msw/issues/2270
This PR upgrades
path-to-regexp
to latest version 8.path-to-regexp
v8 has breaking changes, see https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0.In this PR, I've attempted to make the change transparent to
msw
users.