Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@toolpad/core 6 depends on vulnerable versions of path-to-regexp #4125

Closed
nicolo-tito opened this issue Sep 20, 2024 · 2 comments · Fixed by #4126
Closed

@toolpad/core 6 depends on vulnerable versions of path-to-regexp #4125

nicolo-tito opened this issue Sep 20, 2024 · 2 comments · Fixed by #4126
Labels
priority: important This change can make a difference scope: toolpad-core Abbreviated to "core" security Pull requests that address a security vulnerability

Comments

@nicolo-tito
Copy link

nicolo-tito commented Sep 20, 2024
edited by github-actions bot
Loading

Steps to reproduce

npm audit on "@toolpad/core": "^0.6.0"

Current behavior

npm audit report

path-to-regexp 4.0.0 - 6.2.2
Severity: high
path-to-regexp outputs backtracking regular expressions - GHSA-9wv6-86v2-598j
fix available via npm audit fix --force
Will install @toolpad/core@0.5.2, which is a breaking change
node_modules/path-to-regexp
@toolpad/core >=0.6.0
Depends on vulnerable versions of path-to-regexp
node_modules/@toolpad/core

Expected behavior

No response

Context

No response

Your environment

No response

Search keywords: path-to-regexp
@nicolo-tito nicolo-tito added the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Sep 20, 2024
@Janpot
Copy link
Member

Janpot commented Sep 20, 2024
edited
Loading

We're working on this in #4074

Edit: path-to-regexp@8.0.0 breaks vitest but the fix is backported to 6.3.0. upgrading it in #4126

@Janpot Janpot added priority: important This change can make a difference security Pull requests that address a security vulnerability and removed status: waiting for maintainer These issues haven't been looked at yet by a maintainer labels Sep 20, 2024
This was referenced Sep 20, 2024
Closed
Merged
@github-actions GitHub Actions
Copy link

This issue has been closed. If you have a similar problem but not exactly the same, please open a new issue.
Now, if you have additional information related to this issue or things that could help future readers, feel free to leave a comment.

Note

We value your feedback @nicolo-tito! How was your experience with our support team?
We'd love to hear your thoughts in this brief Support Satisfaction survey. Your insights help us improve!

@oliviertassinari oliviertassinari added the scope: toolpad-core Abbreviated to "core" label Sep 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: important This change can make a difference scope: toolpad-core Abbreviated to "core" security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
3 participants
@Janpot @oliviertassinari @nicolo-tito