path-to-regexp npm audit high vulnerable

[mtrefzer]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

Using "@nestjs/serve-static": "^4.0.2" seams to reference a vulnerable version of "path-to-regexp" .

# npm audit report

path-to-regexp  0.2.0 - 1.8.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @nestjs/serve-static@2.2.2, which is a breaking change
node_modules/@nestjs/serve-static/node_modules/path-to-regexp
  @nestjs/serve-static  2.0.0-next.1 - 2.0.0 || >=3.0.0
  Depends on vulnerable versions of path-to-regexp
  node_modules/@nestjs/serve-static

Minimum reproduction code

pillarjs/path-to-regexp#328

Steps to reproduce

npm install
npm audit

Expected behavior

no high security vulnerable

Package version

4.0.2

NestJS version

10.4.3

Node.js version

22.8.0

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

No response

[BeataKr]

there is a fix but lack of action from 2 weeks

[Zimovets]

when i try update dependencies i faced an issue I describe it here may be someone can help - https://stackoverflow.com/questions/79051743/npm-override-overrides-not-only-the-package-i-specify

[kamilmysliwiec]

#1454