Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: address express and path-to-regexp vulnerabilities #2285

Merged
merged 1 commit into from
Sep 16, 2024
Merged

fix: address express and path-to-regexp vulnerabilities #2285

merged 1 commit into from
Sep 16, 2024

Conversation

markmssd
Copy link
Contributor

@markmssd markmssd commented Sep 15, 2024
edited by kettanaito
Loading

path-to-regexp fix has been backported to v6.3.0 too (as pointed in #2270 (comment)). We just need to wait for the audit to get updated and acknowledge it's fixed there too.

express is only used in specs, thus it's not a breaking change to upgrade to v5.

Ideally, we'd upgrade path-to-regexp to latest v8, but I couldn't get there. I can try again in a few days though.

@markmssd markmssd mentioned this pull request Sep 15, 2024
Closed
4 tasks
kettanaito
kettanaito approved these changes Sep 16, 2024
View reviewed changes
Copy link
Member

@kettanaito kettanaito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks, @markmssd! Let's see what the tests tell us.

@kettanaito kettanaito marked this pull request as ready for review September 16, 2024 07:01
@kettanaito kettanaito changed the title chore(upgrade): upgrade express to fix vulnerability fix: address express and path-to-regexp vulnerabilities Sep 16, 2024
@kettanaito kettanaito merged commit e3487bc into mswjs:main Sep 16, 2024
11 checks passed
@ekaitzht
Copy link

ekaitzht commented Sep 16, 2024
edited
Loading

Hello, should not be this kind of PR to update the semver minor? from 2.4.7 5 to 2.4.8? 🤔 cc @kettanaito @markmssd

@kettanaito
Copy link
Member

@ekaitzht, you aren't consuming neither express nor path-to-regexp directly. There are no changes to the MSW's behavior for you. This is a fix.

@kettanaito
Copy link
Member

Released: v2.4.8 🎉

This has been released in v2.4.8!

Make sure to always update to the latest version (npm i msw@latest) to get the newest features and bug fixes.

Predictable release automation by @ossjs/release.

@kettanaito kettanaito mentioned this pull request Sep 17, 2024
Closed
@Loonz206 Loonz206 mentioned this pull request Oct 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kettanaito kettanaito kettanaito approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

msw seems to depend on vulnerable versions of path-to-regexp
3 participants
@markmssd @ekaitzht @kettanaito