@lhci/cli dependency on Express 4 introduces vulnerable path-to-regexp

[bobby-didcoding]

Hi Lighthouse CI team 👋

While reviewing dependencies in our project, we noticed that @lhci/cli still depends on Express 4, which pulls in an outdated version of [email protected].

Unfortunately, all versions <3.3.0 are considered vulnerable to ReDoS (Regular Expression Denial of Service) attacks (see: Snyk advisory ).

Current dependency chain @lhci/[email protected] └─ [email protected] └─ [email protected]

Why this matters

• Security scanners (npm audit, Snyk, Dependabot) flag this as a vulnerability.
• Since there’s no patched 0.1.x branch, the only fix is upgrading to ≥3.3.0.
• This leaves projects with a permanent audit warning if they rely on @lhci/cli.

Possible solutions

• Upgrade Lighthouse CI’s internal routing to a newer Express version that uses path-to-regexp >=3.3.0.
• Replace Express entirely (only a subset of its functionality may be needed for LHCI).
• Alternatively, add a plan for moving off express@4 to reduce dependency risk.

Questions

• Is there already a roadmap for migrating off Express 4 in LHCI?
• Would you accept a PR that replaces or upgrades the routing layer?

Thanks for maintaining Lighthouse CI.