-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update vulnerable path-to-regexp dependency #509
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
packages/open-next/package.json
Outdated
@@ -45,7 +45,7 @@ | |||
"aws4fetch": "^1.0.18", | |||
"chalk": "^5.3.0", | |||
"esbuild": "0.19.2", | |||
"path-to-regexp": "^6.2.1", | |||
"path-to-regexp": "^8.1.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you test this ? Jumping 2 major version and being out of sync with nextjs itself ( they are still on 6.1
) will probably cause some trouble.
6.3.0
also include the fix without any breaking change, that's probably what we want to use
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the time I raised this PR, only v8 had patched the issue, and v6 was still vulnerable. I had been using this with npm overrides without issue.
Given that a patch now exists for v6, I can revert back to v6 if that improves confidence?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that's probably better, there might be some edge case that are broken and it will be a pain to debug later
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nhardy Could you make this change please
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for not updating sooner. Updated now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem thanks
Updates
path-to-regexp
to resolve GHSA-9wv6-86v2-598j