search

mswjs / msw

Industry standard API mocking for JavaScript.
https://mswjs.io
MIT License
15.97k stars 519 forks source link

Impossible to install because of violation detected #2304

Closed localhero44 closed 1 month ago

localhero44 commented 1 month ago

Hi, I would like to use the latest version, as I have used MSW in the past and it works great. Unfortunately in my company I can't install it, because a violation (CVE) has been detected since two weeks on this dependency: path-to-regexp

Here is the CVE found by our IQ server : CVE-2024-45296

Could you upgrade this dependency? Currently it is 6.3.0

Regards David

kettanaito commented 1 month ago

Hi.

This has been discussed and resolved. See https://github.com/mswjs/msw/issues/2270, https://github.com/mswjs/msw/issues/2277, and https://github.com/mswjs/msw/issues/2294. The fix is addressed on the path-to-regexp side, they've backported it to the version range compatible with the one required by MSW.

davidperbal commented 1 month ago

Sorry, I hadn't found any reference to the same problem before posting it, my fault. So path-to-regexp 6.3.0 is patched, but that thus version that was identified as vulnerable at my company. Then today I've found a way to ask for a new scan of the npm dependencies and this time I was able to install MSW in its latest version 😀