Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: react-router-dom v5 uses vulnerable version of path-to-regexp #11979

Closed
stbenjam opened this issue Sep 10, 2024 · 6 comments
Closed

[Bug]: react-router-dom v5 uses vulnerable version of path-to-regexp #11979

stbenjam opened this issue Sep 10, 2024 · 6 comments
Labels
bug

Comments

@stbenjam
Copy link

What version of React Router are you using?

v5.2.0

Steps to Reproduce

  1. npm install react-router-dom@5.2.0
  2. npm audit --production

Expected Behavior

#9637 (comment) makes the bold claim there's no end-of-life for any React router version, although there's not been any updates to v5 in years.

If there's truly no EOL I'd expect to see it move to path-to-regexp version that's not vulnerable (v0.1.10 or 8.0.0 are the only fixed versions).

In some hacky overrides testing, the fixed v0.1.10 seems to work fine for me.

Actual Behavior

Relies on vulnerable path-to-regexp version

npm warn config production Use `--omit=dev` instead.
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install react-router-dom@6.26.2, which is a breaking change
node_modules/path-to-regexp
  react-router  4.0.0-0 - 5.3.4
  Depends on vulnerable versions of path-to-regexp
  node_modules/react-router
    react-router-dom  4.0.0-beta.1 - 5.3.4
    Depends on vulnerable versions of react-router
    node_modules/react-router-dom

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
@stbenjam stbenjam added the bug label Sep 10, 2024
@stbenjam stbenjam mentioned this issue Sep 10, 2024
Closed
@stbenjam
Copy link
Author

Here's the relevant CVE GHSA-9wv6-86v2-598j

@stbenjam stbenjam mentioned this issue Sep 10, 2024
Merged
@timdorr
Copy link
Member

timdorr commented Sep 10, 2024

Duplicate of #11975

@timdorr timdorr marked this as a duplicate of #11975 Sep 10, 2024
@timdorr timdorr closed this as not planned Won't fix, can't repro, duplicate, stale Sep 10, 2024
@timdorr
Copy link
Member

timdorr commented Sep 10, 2024

Also, you are not affected by this, as you're not using a vulnerable path pattern: https://github.com/openshift/sippy/blob/master/sippy-ng/src/App.js

@stbenjam
Copy link
Author

Sure, but we rely on npm audit --production coming back clean. It doesn't mean someone won't implement such a path in the future either.

I guess I could move to https://www.npmjs.com/package/npm-audit-resolver and add an exception...

@alecf
Copy link

alecf commented Sep 10, 2024

I've submitted a PR for v5, hoping someone can make an exception for this: #11980

@stephen-risk-first
Copy link

FWIW, version 1.9.0 of path-to-regexp has been released recently which fixes the vulnerability and is compatible with the version of path-to-regexp that is required by react-router-dom@5 (which is ^1.7.0).

@vcua-mobify vcua-mobify mentioned this issue Jan 17, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@timdorr @alecf @stbenjam @stephen-risk-first