Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: react-router seems to depend on vulnerable versions of path-to-regexp #11975

Closed
marekdano opened this issue Sep 10, 2024 · 8 comments
Closed

[Bug]: react-router seems to depend on vulnerable versions of path-to-regexp #11975

marekdano opened this issue Sep 10, 2024 · 8 comments
Labels
bug

Comments

@marekdano
Copy link

What version of React Router are you using?

react-router-dom v5.3.4

Steps to Reproduce

run npm audit report and get

# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install msw@0.35.0, which is a breaking change
node_modules/react-router/node_modules/path-to-regexp
  react-router  4.0.0-0 - 5.3.4
  Depends on vulnerable versions of path-to-regexp
  node_modules/react-router
    react-router-dom  4.0.0-beta.1 - 5.3.4
    Depends on vulnerable versions of react-router
    node_modules/react-router-dom

high severity vulnerabilities

Expected Behavior

The latest version of react-router-dom doesn't use a vulnerable version of path-to-regexp

Actual Behavior

npm audit report currently shows vulnerabilities.
@marekdano marekdano added the bug label Sep 10, 2024
@timdorr
Copy link
Member

timdorr commented Sep 10, 2024

This is an older, unsupported version of the library, so we cannot fix this. The changes to path-to-regexp from version 2.x and beyond are major breaking changes.

The advisory gives mitigation steps, and this only applies to specific path patterns. If you're only using this client-side, there is no practical vulnerability at all.

@timdorr timdorr closed this as not planned Won't fix, can't repro, duplicate, stale Sep 10, 2024
@timdorr timdorr mentioned this issue Sep 10, 2024
Closed
@alecf
Copy link

alecf commented Sep 10, 2024
edited
Loading

There is now a v1.9.0 version of path-to-regexp that includes the security fix: https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0

@alecf
Copy link

alecf commented Sep 10, 2024

I've created a PR against v5 here: #11980

@shreyas098
Copy link

shreyas098 commented Sep 11, 2024
edited
Loading

Can you check this https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0? @timdorr

@asos-nikitaparamonov
Copy link

Please review this one #11980 - we kinda stuck in our pipelines, and not ready to update to 6.0.0 of react-router-dom

Appreciate it!

@shye0000
Copy link

shye0000 commented Sep 11, 2024
edited
Loading

@timdorr would you consider reopen this issue?knowing that there is a potential fix #11980, if it can be released soon would be great...

@timdorr
Copy link
Member

timdorr commented Sep 11, 2024

This isn't a bug in the library. It's caused by something we're depending on, which they've released a newer version of the 1.x branch (1.9.0, specifically) that fixes the issue at hand. We don't have to make any changes to our code, as that version is allowed by the selector we use (^1.7.0).

github/advisory-database#4785 was just merged in, so it should disappear from npm audit soon as well.

@shye0000
Copy link

shye0000 commented Sep 11, 2024
edited
Loading

@timdorr Ah indeed, I just need to do a npm audit fix now. This is wonderful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@timdorr @alecf @marekdano @shye0000 @shreyas098 @asos-nikitaparamonov