Security reports with path-to-regexp version #478
Comments
|
Same here, would be great if the team can give #476 a little love... |
|
This is affecting us too. |
|
Any update here? |
|
I created a PR to fix it: #482 |
|
This is now fixed |
|
@IchordeDionysos This is not fixed yet, CVE-2024-45296 is still open GHSA-9wv6-86v2-598j in this repository given that path-to-regexp is still on |
|
True, the issue here is fixed though downstream consumers are not locked into a vulnerable version as the lockfile of superstatic shouldn't be used. Unless you use superstatic directly (which is likely the minority of the cases) you are not blocked. |
|
@IchordeDionysos Yes, but it means we need to monkeypatch and override a version. It would be preferable to deal with security vulnerabilities at the source. Most people probably come here via |
|
This is fixed after the recent package-lock.json regen, but #488 will update package.json to match. |
|
Thank you're @joehan!
…On Wed, 22 Jan 2025, 19:54 joehan, ***@***.***> wrote:
This is fixed after the recent package-lock.json regen, but #488
<#488> will update
package.json to match.
—
Reply to this email directly, view it on GitHub
<#478 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEUCMAJ4NL2SIX3ZRCSRN3L2L7SO5AVCNFSM6AAAAABOSLY3LOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBYGAZDGOJXGI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
We have two Dependabot security reports regarding the path-to-regexp version and since we use firebase-tools, I believe it's coming from this package. This Dependabot PR #476 here would resolve it since the router package also depends on a vulnerable path-to-regexp version so both need to be updated. Worth noting that the router package is a major version update.
The text was updated successfully, but these errors were encountered: