path-to-regexp npm audit high vulnerable

[danielehrhardt]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

In express, @nestjs/core, @nestjs/platform-express there is a package used "path-to-regexp" what causes a npm high security vulnerable. For Version 0.1.7 there is a path 0.1.10 but for 3.2.0 there is no patch currently available.
This should be updated.

Minimum reproduction code

pillarjs/path-to-regexp@29b96b4

Steps to reproduce

npm install
npm audit

Expected behavior

no high security vulnerable

Package

• I don't know. Or some 3rd-party package
• @nestjs/common
• @nestjs/core
• @nestjs/microservices
• @nestjs/platform-express
• @nestjs/platform-fastify
• @nestjs/platform-socket.io
• @nestjs/platform-ws
• @nestjs/testing
• @nestjs/websockets
• Other (see below)

Other package

No response

NestJS version

10.3.10

Packages versions

latest

Node.js version

20

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

No response

[danielehrhardt]

GHSA-9wv6-86v2-598j

[autorejecttop]

@nestjs/platform-fastify is also affected by this

[autorejecttop]

I tried reproducing this by:

1. nest new project-name
2. npm install @nestjs/microservices @nestjs/platform-fastify @nestjs/platform-socket.io @nestjs/platform-ws @nestjs/testing @nestjs/websockets
3. npm audit

it looks like affected packages are:

1. @nestjs/core
2. @nestjs/microservices
3. @nestjs/platform-express
4. @nestjs/platform-fastify
5. @nestjs/platform-socket.io
6. @nestjs/platform-ws
7. @nestjs/testing
8. @nestjs/websockets

got this output:

# npm audit report

path-to-regexp  <=0.1.9 || 0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @nestjs/platform-express@7.0.0, which is a breaking change
node_modules/@fastify/middie/node_modules/path-to-regexp
node_modules/express/node_modules/path-to-regexp
node_modules/path-to-regexp
  @fastify/middie  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/@fastify/middie
    @nestjs/platform-fastify  *
    Depends on vulnerable versions of @fastify/middie
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of path-to-regexp
    node_modules/@nestjs/platform-fastify
  @nestjs/core  <=2.0.2 || 5.2.0-next - 5.7.4 || >=6.11.0-next.1
  Depends on vulnerable versions of @nestjs/microservices
  Depends on vulnerable versions of @nestjs/platform-express
  Depends on vulnerable versions of @nestjs/websockets
  Depends on vulnerable versions of path-to-regexp
  node_modules/@nestjs/core
    @nestjs/microservices  >=7.0.1
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of @nestjs/websockets
    node_modules/@nestjs/microservices
    @nestjs/platform-express  *
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of express
    node_modules/@nestjs/platform-express
      @nestjs/testing  >=7.0.1
      Depends on vulnerable versions of @nestjs/core
      Depends on vulnerable versions of @nestjs/microservices
      Depends on vulnerable versions of @nestjs/platform-express
      node_modules/@nestjs/testing
    @nestjs/websockets  >=7.0.1
    Depends on vulnerable versions of @nestjs/core
    Depends on vulnerable versions of @nestjs/platform-socket.io
    node_modules/@nestjs/websockets
      @nestjs/platform-socket.io  >=8.0.0-alpha.1
      Depends on vulnerable versions of @nestjs/websockets
      node_modules/@nestjs/platform-socket.io
      @nestjs/platform-ws  >=8.0.0-alpha.1
      Depends on vulnerable versions of @nestjs/websockets
      node_modules/@nestjs/platform-ws
  express  4.0.0-rc1 - 4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of path-to-regexp
  node_modules/express

11 high severity vulnerabilities

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

[anukritigarg13]

@nestjs/swagger is also affected by this

[paskaran]

When can we expect a fix for this .? Thanks :)

[micalevisk]

Kamil should address this soon if feasible.

And, as long as you don't have a route that uses the specific path pattern that is mentioned in the vulnerability, you don't need to worry. (btw npm audit: Broken by Design)

[paskaran]

The problem is audit pipelines failing :D downgrading to 6.10.14 is not an option for us. Hopefully the fix arrives soon :). Thanks

[danielehrhardt]

#13957

[micalevisk]

I don't think that upgrading path-to-regexp from v3 to v8 is a good short-term solution because we might bring breaking changes (see v6, v7, and others). I guess we need to find a way to let the dev upgrade it on their side instead

[Piet-verdriet]

@micalevisk I agree :) An issue has been opened for path-to-regexp here
Please bump, hopefully one of the devs can look into patching soon.

[micalevisk]

looks like that the path-to-regexp's team won't backport that fix tho: pillarjs/path-to-regexp#318 (comment)

[DanielSchiavini]

They shouldn't need to backport, the release 3.2.0 is almost 5 years old! Nest should've upgraded a long time ago.

[micalevisk]

an workaround for NPM v8+ users:

just add the following to your package.json file and remove the lock file

  "overrides": {
    "path-to-regexp": "^8.1"
  }

so now you'll be using the latest version of path-to-regexp

Yarn and PNPM has similar solutions