Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update path-to-regexp Dependency to Resolve Security Vulnerability #896

Closed
MalieJobe opened this issue Sep 12, 2024 · 2 comments
Closed

Comments

@MalieJobe
Copy link

MalieJobe commented Sep 12, 2024

Environment

  • Operating System: Windows_NT
  • Node Version: v22.3.0
  • Nuxt Version: 3.13.1
  • CLI Version: 3.13.1
  • Nitro Version: 2.9.7
  • Package Manager: [email protected]
  • Builder: -
  • User Config: compatibilityDate, devtools, vite, modules
  • Runtime Modules: @nuxtjs/[email protected], @nuxt/[email protected]
  • Build Modules: -

Reproduction

Steps to Reproduce:

  1. Install @nuxtjs/tailwindcss in a Nuxt project.
  2. Run npm audit.
  3. Observe the vulnerability warning related to path-to-regexp

Describe the bug

I’m encountering a security vulnerability related to the path-to-regexp package. I have identified that the version of path-to-regexp used in the @nuxtjs/tailwindcss package is affected by a high-severity security issue. Here are the details:

Affected Package: path-to-regexp
Vulnerable Versions: < 0.1.10, >= 0.2.0, < 1.9.0, >= 4.0.0, < 8.0.0, >= 2.0.0, < 3.3.0
Patched Version: 8.0.0

Additional context

The @nuxtjs/tailwindcss package includes a dependency on tailwind-config-viewer, which in turn relies on @koa/router. The @koa/router package depends on an outdated version of path-to-regexp, which has a known vulnerability.

When running npm audit, the following warning is shown:

path-to-regexp  4.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j

Additional Info

I’ve tried using the overrides field in my package.json to force the update to 8.0.0

"overrides": {
    "@koa/router": {
      "path-to-regexp": "8.0.0"
    },
    "@nuxtjs/tailwindcss": {
      "tailwind-config-viewer": "*"
    }
  }

but this led to runtime errors as shown:
ERROR [unhandledRejection] pathToRegexp is not a function

Logs

No response

@MalieJobe MalieJobe added the bug Something isn't working label Sep 12, 2024
@MalieJobe
Copy link
Author

I just saw that an issue for this is also opened at @koa/router #186

@ineshbose
Copy link
Collaborator

This is annoying 🙁 - there's a fair few upstream dependencies from tailwind-config-viewer we may want to address..

Can you test with nightly now? 🙂

@ineshbose ineshbose removed the bug Something isn't working label Oct 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants