High severity vulnerabilities / serve-handler / path-to-regexp path-to-regexp-2.2.1.tgz

Question

High severity vulnerabilities / serve-handler / path-to-regexp path-to-regexp-2.2.1.tgz

SrideviE50254 opened this issue 3 months ago · 5 comments

Hello Team,

Mend Bolt tool is showing vulnerability in package "path-to-regexp-2.2.1.tgz" with [CVE-2024-45296]

Vulnerability is raised from the path-to-regexp@2.2.1 module which is used as a transitive dependency. The recommended version of this is 8.1.0

Running npm list path-to-regexp returns the following:

└─┬ serve@14.2.3
└─┬ serve-handler@6.1.5
└── path-to-regexp@2.2.1

Could you please upgrade the path-to-regexp transitive dependency to 8.1.0 to fix it at asap.

Regards,
Sridevi G

Answer 1 · 2024-09-18T02:55:42.000Z

Adding this to package.json appears to resolve the issue
It may break some functionality as it is a major dependency upgrade

  "overrides": {
    "path-to-regexp": "^8.1.0"
  }

Answer 2 · 2024-09-18T05:02:28.000Z

Should also be fixed in path-to-regexp 3.3.0 - might be less "agressive"

Answer 3 · 2024-09-18T06:10:38.000Z

Mend bolt is suggesting to upgrade the version 0.1.10 or 8.0.0

Kindly refer attached screenshot for more details.

Thanks
Sridevi.G

Answer 4 · 2024-09-18T20:58:51.000Z

This is a duplicate of #211. @SrideviE50254 Please take the time to check open issues before creating a new one.

Answer 5 · 2024-09-19T08:22:29.000Z

Hi @cylewaitforit,

Thank you for informing me about the duplicate issue. In the future, I will check the existing tickets before creating a new one. I referred to the issue you linked, #211.

I am using the same versions of Serve and Serve Handler:

└─┬ serve@14.2.3
└─┬ serve-handler@6.1.5
└── path-to-regexp@2.2.1

However, Mend Bolt is suggesting version 0.1.10 or 8.0.0 for path-to-regexp.

This still doesn't resolve my problem. Should I continue the discussion here or in the reference task you mentioned?

Thank you
Sridevi G