Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Break Change] upgrate path-to-regexp V6 to V8, or not ? #97

Closed
pengzhanbo opened this issue Sep 7, 2024 · 4 comments
Closed

[Break Change] upgrate path-to-regexp V6 to V8, or not ? #97

pengzhanbo opened this issue Sep 7, 2024 · 4 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@pengzhanbo
Copy link
Owner

path-to-regexp has undergone significant changes recently, with two major version updates in a short period, both of which include breaking changes. Upgrading hastily could have a really bad impact on users of the plugin.

The current plugin has been using the v6 version of the API, and the dynamic route matching rules are vastly different from those in v8, which would render existing url configurations with dynamic parameters completely ineffective. This might be unacceptable for current users.

So, I'm not sure whether to proceed with the update. I'd appreciate your thoughts and suggestions.

path-to-regexp 在近期发生了重大的变更,在短期内进行了两次重大版本变更,且都带有破坏性更新。贸然升级,这可能给插件的用户们带来非常糟糕的影响。

当前插件一直使用的是 v6 版本的 API,在动态路由匹配规则上,和 v8 的规则差别非常大,这会导致 现有的 带动态参数的 url 配置 完全失效。这对于当前的用户来说可能是不可接受的。

因此我不确定是否进行更新,希望您发表您的看法和建议。
@pengzhanbo pengzhanbo added enhancement New feature or request help wanted Extra attention is needed labels Sep 7, 2024
@pengzhanbo pengzhanbo changed the title [Break Change] migrate path-to-regexp V6 to V8, or not ? [Break Change] upgrate path-to-regexp V6 to V8, or not ? Sep 25, 2024
@pengzhanbo pengzhanbo closed this as not planned Won't fix, can't repro, duplicate, stale Oct 24, 2024
@pfdgithub
Copy link
Contributor

一直用的 registry.npmmirror.com 的源,今天偶尔切换到官方源,才发现安装依赖后会有漏洞提醒 2 high severity vulnerabilities

% npm audit
# npm audit report

path-to-regexp  4.0.0 - 6.2.2
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install vite-plugin-mock-dev-server@1.5.0, which is a breaking change
node_modules/path-to-regexp
  vite-plugin-mock-dev-server  >=1.5.1
  Depends on vulnerable versions of path-to-regexp
  node_modules/vite-plugin-mock-dev-server

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

本地开发时使用,该漏洞 path-to-regexp outputs backtracking regular expressions 的影响不大。
不过还是建议升级到 path-to-regexp@6.3.0 版本缓解一下。

Patches
For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

0.1.10
1.9.0
3.3.0
6.3.0
They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

Fixed

Add backtrack protection to 6.x (pillarjs/path-to-regexp#324) pillarjs/path-to-regexp@f1253b4

@pengzhanbo
Copy link
Owner Author

@pfdgithub 感谢提醒!
由于我对其锁定了版本避免升级到 @8+ 版本带来不可预估的破坏。
我这段时间也没有对 path-to-regexp 保持关注,忽视了 @6.3.0 版本。

@pfdgithub
Copy link
Contributor

如果 path-to-regexp 遵循 semver 规范,使用 ^6.3.0 就行了。不过有些社区包的版本管理真是一言难尽。

@pengzhanbo
Copy link
Owner Author

@pfdgithub 不大敢写成 ^6.3.0,因为之前如 #104 这种 issue 都有,用户在对 版本管理 和 锁文件 上也是一言难尽。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pfdgithub @pengzhanbo