Update `path-to-regexp` since it's affected by CVE-2024-45296

[Llois41]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current behavior

https://github.com/nestjs/serve-static/blob/master/package.json#L70

This pinned version is affected by https://nvd.nist.gov/vuln/detail/CVE-2024-45296

Please update it!

Minimum reproduction code

https://github.com/nestjs/serve-static/blob/master/package.json#L70

Steps to reproduce

No response

Expected behavior

Package is updated to a version without the CVE.

Maybe dependencies should not be pinned since it requires all projects to release a new version instead of the consuming projects to update the transitive dependencies itself. FWIW: https://docs.npmjs.com/specifying-dependencies-and-devdependencies-in-a-package-json-file#manually-editing-the-packagejson-file

Package version

4.0.2

NestJS version

No response

Node.js version

No response

In which operating systems have you tested?

• [ ] macOS
• [ ] Windows
• [ ] Linux

Other

No response

[Elte156]

Only place this is used is: https://github.com/nestjs/serve-static/blob/05eef6f08b6954ca9345e39e8d16ef428eb5f25b/lib/utils/is-route-excluded.util.ts#L5

I see that @nestjs/core depends on path-to-regexp@3.3.0 https://github.com/nestjs/serve-static/blob/05eef6f08b6954ca9345e39e8d16ef428eb5f25b/package-lock.json#L1050

Should we update path-to-regexp to 3.3.0, 6.3.0, or 8.2.0?

[Llois41]

@Elte156 we for now just added a resolution to 1.9.0 since it seems the appropriate version according to https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j

And also the changes in the changelog do not seem to be that much and breaking (but we also do not use the code path which includes the path-to-regexp package).

[Elte156]

@Llois41 Moving to 1.9.0 has been proposed in PR https://github.com/nestjs/serve-static/pull/1454

But it was deemed that it would incur breaking changes by @kamilmysliwiec https://github.com/nestjs/serve-static/pull/1454#issuecomment-2426269793

Given that the maintainer of path-to-regexp expresses that there were no breaking changes between 0.2.5 and 1.0.0, it seems like it would be safe.

• https://github.com/pillarjs/path-to-regexp/pull/320#issuecomment-2353688832
• https://github.com/pillarjs/path-to-regexp/blob/7aff887e73ee8bca5cc98ee6239616da07eb8523/History.md#100--2014-08-17

Is it expected that @nestjs/serve-static would need a major version bump from 4.0.2 to 5.0.0 to include a safe version of path-to-regexp?