Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

path-to-regexp npm audit high vulnerable #1466

Closed
2 of 4 tasks
mtrefzer opened this issue Sep 21, 2024 · 3 comments
Closed
2 of 4 tasks

path-to-regexp npm audit high vulnerable #1466

mtrefzer opened this issue Sep 21, 2024 · 3 comments
Labels
bug Something isn't working needs triage

Comments

@mtrefzer
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

Using "@nestjs/serve-static": "^4.0.2" seams to reference a vulnerable version of "path-to-regexp" .

# npm audit report

path-to-regexp  0.2.0 - 1.8.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @nestjs/serve-static@2.2.2, which is a breaking change
node_modules/@nestjs/serve-static/node_modules/path-to-regexp
  @nestjs/serve-static  2.0.0-next.1 - 2.0.0 || >=3.0.0
  Depends on vulnerable versions of path-to-regexp
  node_modules/@nestjs/serve-static

Minimum reproduction code

pillarjs/path-to-regexp#328

Steps to reproduce

npm install
npm audit

Expected behavior

no high security vulnerable

Package version

4.0.2

NestJS version

10.4.3

Node.js version

22.8.0

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

No response
@mtrefzer mtrefzer added bug Something isn't working needs triage labels Sep 21, 2024
@BeataKr
Copy link

BeataKr commented Sep 25, 2024
edited
Loading

there is a fix but lack of action from 2 weeks

@Zimovets
Copy link

Zimovets commented Oct 4, 2024

when i try update dependencies i faced an issue I describe it here may be someone can help - https://stackoverflow.com/questions/79051743/npm-override-overrides-not-only-the-package-i-specify

@jamesread jamesread mentioned this issue Oct 7, 2024
Closed
@kamilmysliwiec
Copy link
Member

#1454

@nestjs nestjs locked and limited conversation to collaborators Oct 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mtrefzer @kamilmysliwiec @Zimovets @BeataKr