Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update path-to-regexp since it's affected by CVE-2024-45296 #1513

Closed
1 of 4 tasks
Llois41 opened this issue Nov 8, 2024 · 5 comments
Closed
1 of 4 tasks

Update path-to-regexp since it's affected by CVE-2024-45296 #1513

Llois41 opened this issue Nov 8, 2024 · 5 comments
Labels
bug Something isn't working needs triage

Comments

@Llois41
Copy link

Llois41 commented Nov 8, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

https://github.com/nestjs/serve-static/blob/master/package.json#L70

This pinned version is affected by https://nvd.nist.gov/vuln/detail/CVE-2024-45296

Please update it!

Minimum reproduction code

https://github.com/nestjs/serve-static/blob/master/package.json#L70

Steps to reproduce

No response

Expected behavior

Package is updated to a version without the CVE.

Maybe dependencies should not be pinned since it requires all projects to release a new version instead of the consuming projects to update the transitive dependencies itself. FWIW: https://docs.npmjs.com/specifying-dependencies-and-devdependencies-in-a-package-json-file#manually-editing-the-packagejson-file

Package version

4.0.2

NestJS version

No response

Node.js version

No response

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

No response
@Llois41 Llois41 added bug Something isn't working needs triage labels Nov 8, 2024
@Llois41 Llois41 changed the title Update path-to-regexp since it's affected by Update path-to-regexp since it's affected by CVE-2024-45296 Nov 8, 2024
@Elte156
Copy link

Elte156 commented Nov 11, 2024

Only place this is used is:

serve-static/lib/utils/is-route-excluded.util.ts

Line 5 in 05eef6f

const re = pathToRegexp(path);

I see that @nestjs/core depends on path-to-regexp@3.3.0

serve-static/package-lock.json

Line 1050 in 05eef6f

"path-to-regexp": "3.3.0",

Should we update path-to-regexp to 3.3.0, 6.3.0, or 8.2.0?

@Llois41
Copy link
Author

Llois41 commented Nov 11, 2024

@Elte156 we for now just added a resolution to 1.9.0 since it seems the appropriate version according to GHSA-9wv6-86v2-598j

And also the changes in the changelog do not seem to be that much and breaking (but we also do not use the code path which includes the path-to-regexp package).

@Elte156
Copy link

Elte156 commented Nov 11, 2024

@Llois41 Moving to 1.9.0 has been proposed in PR #1454

But it was deemed that it would incur breaking changes by @kamilmysliwiec
#1454 (comment)

Given that the maintainer of path-to-regexp expresses that there were no breaking changes between 0.2.5 and 1.0.0, it seems like it would be safe.

Is it expected that @nestjs/serve-static would need a major version bump from 4.0.2 to 5.0.0 to include a safe version of path-to-regexp?

@JannikStreek JannikStreek mentioned this issue Nov 13, 2024
Closed
@kamilmysliwiec
Copy link
Member

Blocked until this nestjs/nest#14238 (comment) is merged

@nestjs nestjs locked and limited conversation to collaborators Nov 28, 2024
@kamilmysliwiec
Copy link
Member

https://github.com/nestjs/serve-static/releases/tag/5.0.0

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Elte156 @kamilmysliwiec @Llois41 and others