High severity vulnerabilities / serve-handler / path-to-regexp path-to-regexp-2.2.1.tgz

[SrideviE50254]

Hello Team,

Mend Bolt tool is showing vulnerability in package "path-to-regexp-2.2.1.tgz" with [CVE-2024-45296]

Vulnerability is raised from the [email protected] module which is used as a transitive dependency. The recommended version of this is 8.1.0

Running npm list path-to-regexp returns the following:

└─┬ [email protected]
└─┬ [email protected]
└── [email protected]

Could you please upgrade the path-to-regexp transitive dependency to 8.1.0 to fix it at asap.

Regards,
Sridevi G

[kmturley]

Adding this to package.json appears to resolve the issue
It may break some functionality as it is a major dependency upgrade

  "overrides": {
    "path-to-regexp": "^8.1.0"
  }

[thomashohn]

Should also be fixed in path-to-regexp 3.3.0 - might be less "agressive"

[SrideviE50254]

Mend bolt is suggesting to upgrade the version 0.1.10 or 8.0.0

Kindly refer attached screenshot for more details.

Thanks
Sridevi.G

[cylewaitforit]

This is a duplicate of #211. @SrideviE50254 Please take the time to check open issues before creating a new one.

[SrideviE50254]

Hi @cylewaitforit,

Thank you for informing me about the duplicate issue. In the future, I will check the existing tickets before creating a new one. I referred to the issue you linked, #211.

I am using the same versions of Serve and Serve Handler:

└─┬ [email protected]
└─┬ [email protected]
└── [email protected]

However, Mend Bolt is suggesting version 0.1.10 or 8.0.0 for path-to-regexp.

This still doesn't resolve my problem. Should I continue the discussion here or in the reference task you mentioned?

Thank you
Sridevi G