Update path-to-regexp

[klassm]

Please update to the current version of path-to-express, to mitigate the security vulnerability described in GHSA-9wv6-86v2-598j. Fix version should be 8.1.0

Thanks :-)!

[StevenCederrand]

8.1.0 would probably be best, but yea, to remove the issue 8.0.0 is enough.

Please and thank you 🙌

[Alesyaa103]

v0.1.X also needs to be updated to v1.10.0

GHSA-9wv6-86v2-598j

[mmtdm]

currently this fails npm audit

npm install express-openapi-validator --save

added 120 packages, and audited 121 packages in 3s

17 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

ex % npm audit
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
node_modules/express-openapi-validator/node_modules/path-to-regexp
  express-openapi-validator  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/express-openapi-validator

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

[gauravrajpoot-wmp]

how to fix this issue. facing same problem

[frankkeefer]

Also having issues using this library.

It looks like the automated PR's to update the library failed due to a build issue.
#967
#968

Looks like this might need a code update to account for the new shape of the functions in the new version of the path-to-regexp library.
https://github.com/cdimascio/express-openapi-validator/actions/runs/10797834182/job/29949959459?pr=967

[avocadojesus]

The update is non-trivial, since newer versions of path-to-regexp don't support any of the tests in test/wildcard.path.params.spec.ts (except for the first test). Began working on this, but since I am not a regular contributor to this repo, I didn't feel I had the authority to decide not to support wildcard features, since technically express does support them.

Express 4.20 is using path-to-regexp@0.1.10. I attempted to bring that version into this project as well, but it created 300+ test errors for me, so I defer to the package maintainers for the correct approach here.

To get to the point where only 7 wildcard specs are failing, you can bump path-to-rexexp@8.0.1, and then make the following changes:

Not sure what to do from there apart from just deleting the wildcard functionality, any ideas? Seems to me safest approach would be to go back to path-to-regexp@0.1.10, since express uses that version successfully to parse its routes, and it can handle the same wildcard expressions, but that results in massive failures and I don't have the time to look into them.

[cvchauhan]

for version 8.1.0 need to modify code as of now fix version is 6.3.0

[s100]

Following the release of path-to-regexp@6.3.0, which is patched, express-openapi-validator's dependency on path-to-regexp@^6.2.2 should bring in a safe version of path-to-regexp by default. Downstream consumers are unblocked.

[cdimascio]

The PR above upgrades to path-to-regex to 6.3.0 which resolves the vulnerability. An upgrade to v8.x is still desired. PRs welcome

[frankkeefer]

Found a way to update the code to support path-to-regexp 8.1.0 #976. I had to do a pinch of rework in the openapi.spec.loader.ts to handle some of the new expectations for the 8.1.0 versions in setting up the path models. If the PR needs any adjustments let me know.

[frankkeefer]

I did validate that the changes in #976 pass all the current unit tests, and the code changed is covered by the current unit testing. I'm not sure what unit test updates would be needed beyond that.

[cvchauhan]

The PR above upgrades to path-to-regex to 6.3.0 which resolves the vulnerability. An upgrade to v8.x is still desired. PRs welcome

#975

[cvchauhan]

Following the release of path-to-regexp@6.3.0, which is patched, express-openapi-validator's dependency on path-to-regexp@^6.2.2 should bring in a safe version of path-to-regexp by default. Downstream consumers are unblocked.

Pr has been raised already
#979