Update transitive dependencies to fix vulnerability

[lukewhitehouse]

The problem

There is a high severity alert out for versions of path-to-regexp: https://github.com/advisories/GHSA-9wv6-86v2-598j

Details

This package is a transitive dependency for a couple of direct dependencies to @percy/playwright, which will need updating. These include:

• updating @percy/cli, fixed in v1.29.4 https://github.com/percy/cli/releases/tag/v1.29.4
• updating sinon, fixed in v18.0.1 https://github.com/sinonjs/sinon/blob/main/CHANGES.md#1801

This repo has 2 bumps to get us started:

• https://github.com/percy/percy-playwright/pull/445 – seems good to go
• https://github.com/percy/percy-playwright/pull/444 – breaking changes from v18 -> v19 that may fail tests. Might be easier to upgrade the patch version instead for now.

Is this something that could be looked at? Happy to help with the Sinon bump

[lukewhitehouse]

On reviewing https://github.com/percy/percy-playwright/pull/444 CI steps it looks like the node version needs updating too.

[lukewhitehouse]

I've created a PR for the sinon and node upgrades https://github.com/percy/percy-playwright/pull/447, which combined with https://github.com/percy/percy-playwright/pull/445, should fix the vulnerability found in older versions of path-to-regexp. Would love to hear your thoughts here @prklm10 & @shantanuk-browserstack

[prklm10]

@lukewhitehouse thanks for raising the pr for this. We will be trying to update the sinon patch version instead of upgrading node.

[prklm10]

Hi @lukewhitehouse we have released v1.0.7 that has the security patch for path-to-regex.