Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update path-to-regexp #966

Closed
klassm opened this issue Sep 10, 2024 · 15 comments
Closed

Update path-to-regexp #966

klassm opened this issue Sep 10, 2024 · 15 comments

Comments

@klassm
Copy link

klassm commented Sep 10, 2024

Please update to the current version of path-to-express, to mitigate the security vulnerability described in GHSA-9wv6-86v2-598j. Fix version should be 8.1.0

Thanks :-)!

@klassm klassm changed the title Update path-to-express Update path-to-regexp Sep 10, 2024
@StevenCederrand
Copy link

8.1.0 would probably be best, but yea, to remove the issue 8.0.0 is enough.

Please and thank you 🙌

@Alesyaa103
Copy link

v0.1.X also needs to be updated to v1.10.0

GHSA-9wv6-86v2-598j

@mmtdm
Copy link

mmtdm commented Sep 10, 2024

currently this fails npm audit

npm install express-openapi-validator --save

added 120 packages, and audited 121 packages in 3s

17 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

ex % npm audit
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
node_modules/express-openapi-validator/node_modules/path-to-regexp
  express-openapi-validator  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/express-openapi-validator

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

@gauravrajpoot-wmp
Copy link

how to fix this issue. facing same problem

@frankkeefer
Copy link
Contributor

Also having issues using this library.

It looks like the automated PR's to update the library failed due to a build issue.
#967
#968

Looks like this might need a code update to account for the new shape of the functions in the new version of the path-to-regexp library.
https://github.com/cdimascio/express-openapi-validator/actions/runs/10797834182/job/29949959459?pr=967

@avocadojesus
Copy link

The update is non-trivial, since newer versions of path-to-regexp don't support any of the tests in test/wildcard.path.params.spec.ts (except for the first test). Began working on this, but since I am not a regular contributor to this repo, I didn't feel I had the authority to decide not to support wildcard features, since technically express does support them.

Express 4.20 is using path-to-regexp@0.1.10. I attempted to bring that version into this project as well, but it created 300+ test errors for me, so I defer to the package maintainers for the correct approach here.

To get to the point where only 7 wildcard specs are failing, you can bump path-to-rexexp@8.0.1, and then make the following changes:

Screenshot 2024-09-11 at 11 00 21 AM Screenshot 2024-09-11 at 11 00 52 AM

Not sure what to do from there apart from just deleting the wildcard functionality, any ideas? Seems to me safest approach would be to go back to path-to-regexp@0.1.10, since express uses that version successfully to parse its routes, and it can handle the same wildcard expressions, but that results in massive failures and I don't have the time to look into them.

@cvchauhan
Copy link
Contributor

for version 8.1.0 need to modify code as of now fix version is 6.3.0

@s100
Copy link

s100 commented Sep 12, 2024

Following the release of path-to-regexp@6.3.0, which is patched, express-openapi-validator's dependency on path-to-regexp@^6.2.2 should bring in a safe version of path-to-regexp by default. Downstream consumers are unblocked.

@cdimascio
Copy link
Owner

cdimascio commented Sep 12, 2024

The PR above upgrades to path-to-regex to 6.3.0 which resolves the vulnerability. An upgrade to v8.x is still desired. PRs welcome

@frankkeefer
Copy link
Contributor

Found a way to update the code to support path-to-regexp 8.1.0 #976. I had to do a pinch of rework in the openapi.spec.loader.ts to handle some of the new expectations for the 8.1.0 versions in setting up the path models. If the PR needs any adjustments let me know.

@frankkeefer
Copy link
Contributor

frankkeefer commented Sep 12, 2024

I did validate that the changes in #976 pass all the current unit tests, and the code changed is covered by the current unit testing. I'm not sure what unit test updates would be needed beyond that.

@cvchauhan
Copy link
Contributor

The PR above upgrades to path-to-regex to 6.3.0 which resolves the vulnerability. An upgrade to v8.x is still desired. PRs welcome

#975

@cvchauhan
Copy link
Contributor

cvchauhan commented Sep 12, 2024

Following the release of path-to-regexp@6.3.0, which is patched, express-openapi-validator's dependency on path-to-regexp@^6.2.2 should bring in a safe version of path-to-regexp by default. Downstream consumers are unblocked.

Pr has been raised already
#979

@dogmatic69
Copy link

Since #976 is merged, can a new release be made? 🙏🏻

@cdimascio
Copy link
Owner

fixed. closing this out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests