cypress-example-kitchensink icon indicating copy to clipboard operation
cypress-example-kitchensink copied to clipboard

Published 20 hours ago verified publisher icon cypress-io

Dependabot `path-to-regexp` report due to `serve` usage

Open MikeMcC399 opened this issue 1 year ago • 2 comments

Issue

Dependabot reports a high severity vulnerability path-to-regexp outputs backtracking regular expressions in this repo concerning CVE-2024-45296.

This is also reported by npm audit:

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/serve-handler/node_modules/path-to-regexp
  serve-handler  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/serve-handler
    serve  >=7.0.0
    Depends on vulnerable versions of serve-handler
    node_modules/serve

The vulnerability is pulled in by

https://github.com/cypress-io/cypress-example-kitchensink/blob/31bf6677fb3ddb7e9cc142ddf5e8dcf6821fa76e/package.json#L64

$ npm ls path-to-regexp
[email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]
  • The issue has been reported to https://github.com/vercel/serve/issues/811, however at this time there is no resolution available.

MikeMcC399 avatar Sep 11 '24 07:09 MikeMcC399