-
-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
msw seems to depend on vulnerable versions of path-to-regexp
#2270
Comments
vi har dette problemet mswjs/msw#2270 ser ut som vi må vente på at msw oppdaterer sin versjon av path-to-regexp før denne audit feilen blir borte
facing the same issue. It still exists. |
yes, I'm facing the same issue in v1.3.4 |
Gentle open source etiquette tip: it's not helpful to reply with a message like "same". It creates noise for everyone subscribed to the issue. Instead, the best thing to do is upvote the original message. |
With VERY limited testing, I think I may have a short-term workaround. Not sure what the far reaching effects are, but, adding this to my
Then an That would imply a breaking change, so maybe we need to just wait on a fix. So far with a few routes it looks like it works for me, but YMMV. |
I tried that approach, for my project stop works. |
The current version of msw depends on express@4.19.2, which in turn depends on path-to-regex@0.1.7. This older version of path-to-regex has known security vulnerabilities. Current msw pnpm-lock.yaml express@4.19.2 > path-to-regexp@0.1.7 Line 4366 in 8e17330
The new version of express@4.20, which was released on yesterday(2024/09/10), depends on path-to-regex@1.1.0, which resolves the security vulnerabilities present in the older version.
Line 47 in 8e17330
Release: express@4.20.0 |
Yeah, it needs to update both |
As MSW is only a dev dependency for my company I updated our pipeline audit check to include '--omit=dev' This may help others until a fix is deployed |
To the devs: I forked Seems the function Here is a link addressing this from the devs of path-to-regexp regarding the unexpected characters - https://github.com/pillarjs/path-to-regexp?tab=readme-ov-file#unexpected-----etc |
Nvm, just saw in the |
See [msw seems to depend on vulnerable versions of path-to-regexp #2270](mswjs/msw#2270)
@agadzinski93, thank you for doing that research. There are also some type changes across major version updates, but those should be manageable. A great reminder from @fwg-dev-butter that MSW is a development dependency. Even if it, or its transitive dependencies have vulnerabilities, that is not the same as a production-grade dependency shipping vulnerabilities to your users. You don't ship MSW to your users, you use it on your machine. That doesn't negate the vulnerability, but it severely minimizes its scope to being pretty much non-existing. Configuring your reporting property will save you, your company, and open source maintainers a lot of time and stress. So do that. I am all for updating dependencies though. Pull requests are welcome with this one! |
I've opened #2285 which upgrades |
Released: v2.4.8 🎉This has been released in v2.4.8! Make sure to always update to the latest version ( Predictable release automation by @ossjs/release. |
Prerequisites
Environment check
msw
versionNode.js version
NA
Reproduction repository
loculus-project/loculus
Reproduction steps
npm audit
Current behavior
Expected behavior
The latest version of msw doesn't use a vulnerable version of
path-to-regexp
The text was updated successfully, but these errors were encountered: