page.js icon indicating copy to clipboard operation
page.js copied to clipboard
verified publisher icon visionmedia

page.js >=1.4.0 depends on vulnerable versions of path-to-regexp

Open MarkBFamFour opened this issue 1 year ago • 1 comments

Hi,

Recently I started getting high severity warnings from npm that this library depends on vulnerable versions of path-to-regexp (in my case page.js 1.11.6 depends on path-to-regexp 1.2.1). Could this be remedied, or can I upgrade to path-to-regexp 1.9.0 for example to provide a secure path-to-regexp library for page.js?

MarkBFamFour avatar Nov 06 '24 11:11 MarkBFamFour

Not sure if you've got around to fixing this. But one workaround is to use npm overrides.

More info here - https://medium.com/microsoftazure/how-to-fix-your-security-vulnerabilities-with-npm-override-c4b5be0ab4f6

For page.js the following should work ( you may need to change the version numbers based on the error)

  "overrides": {
    "[email protected]": "1.9.0"
  },

crisward avatar Dec 09 '24 13:12 crisward