chore(deps): update dependency path-to-regexp@0.1.12 to v8 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
path-to-regexp@0.1.12	0.1.13 → 8.4.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-4867

Impact

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Patches

Upgrade to path-to-regexp@0.1.13

Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.

References

• GHSA-9wv6-86v2-598j
• Detailed blog post: ReDoS the web

CVE-2026-4926

Impact

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches

Fixed in version 8.4.0.

Workarounds

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

CVE-2026-4923

Impact

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches

Upgrade to version 8.4.0.

Workarounds

If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

---

Release Notes

pillarjs/path-to-regexp (path-to-regexp@0.1.12)

v8.4.0

Compare Source

v8.3.0: 8.3.0

Compare Source

Changed

• Add custom error class (#​398) 2a7f2a4
• Allow plain objects for TokenData (#​391) 687a9bb
• Escape text should escape backslash (#​390) a4a8552
• Improved error messages and stack size (#​363) a6bdf40

Other

• Minifying the parser
  • PR (#​401) 9df2448
  • PR (#​395) 4a91505
  • Shaving some bytes d63f44b
  • Remove optional operator 973d15c

v8.2.0: 8.2.0

Compare Source

Fixed

• Allowing path-to-regexp to run on older browsers by targeting ES2015
  • Target ES2015 5969033
    • Also saved 0.22kb (10%!) by removing the private class field down level
  • Remove s flag from regexp 51dbd45

v8.1.0

Compare Source

Added

• Adds pathToRegexp method back for generating a regex
• Adds stringify method for converting TokenData into a path string

v8.0.0: Simpler API

Compare Source

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

• Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

• Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
• Parameter names follow JS identifier rules and allow unicode characters

Added

• Parameter names can now be quoted, e.g. :"foo-bar"
• Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

• Removes loose mode
• Removes regular expression overrides of parameters

v7.2.0: Support array inputs (again)

Compare Source

Added

• Support array inputs for match and pathToRegexp 3fdd88f

v7.1.0: Strict mode

Compare Source

Added

• Adds a strict option to detect potential ReDOS issues

Fixed

• Fixes separator to default to suffix + prefix when not specified
• Allows separator to be undefined in TokenData
  • This is only relevant if you are building TokenData manually, previously parse filled it in automatically

Comments

• I highly recommend enabling strict: true and I'm probably releasing a V8 with it enabled by default ASAP as a necessary security mitigation

v7.0.0: Wildcard, unicode, and modifier changes

Compare Source

Hi all! There's a few major breaking changes in this release so read carefully.

Breaking changes:

• The function returned by compile only accepts strings as values (i.e. no numbers, use String(value) before compiling a path)
  • For repeated values, when encode !== false, it must be an array of strings
• Parameter names can contain all unicode identifier characters (defined as regex \p{XID_Continue}).
• Modifiers (?, *, +) must be used after a param explicitly wrapped in {}
  • No more implied prefix of / or .
• No support for arrays or regexes as inputs
• The wildcard (standalone *) has been added back and matches Express.js expected behavior
• Removed endsWith option
• Renamed strict: true to trailing: false
• Reserved ;, ,, !, and @ for future use-cases
• Removed tokensToRegexp, tokensToFunction and regexpToFunction in favor of simplifying exports
• Enable a "loose" mode by default, so / can be repeated multiple times in a matched path (i.e. /foo works like //foo, etc)
• encode and decode no longer receive the token as the second parameter
• Removed the ESM + CommonJS dual package in favor of only one CommonJS supported export
• Minimum JS support for ES2020 (previous ES2015)
• Encode defaults to encodeURIComponent and decode defaults to decodeURIComponent

Added:

• Adds encodePath to fix an issue around encode being used for both path and parameters (the path and parameter should be encoded slightly differently)
• Adds loose as an option to support arbitrarily matching the delimiter in paths, e.g. foo/bar and foo///bar should work the same
• Allow encode and decode to be set to false which skips all processing of the parameters input/output
• All remaining methods support TokenData (exported, returned by parse) as input
  • This should be useful if you are programmatically building paths to match or want to avoid parsing multiple times

Requests for feedback:

• Requiring {} is an obvious drawback but I'm seeking feedback on whether it helps make path behavior clearer
  • Related: Removing / and . as implicit prefixes
• Removing array and regex support is to reduce the overall package size for things many users don't need
• Unicode IDs are added to align more closely with browser URLPattern behavior, which uses JS identifiers

v6.3.0: Fix backtracking in 6.x

Compare Source

Fixed

• Add backtrack protection to 6.x (#​324) f1253b4

v6.2.2: Updated README

Compare Source

No API changes. Documentation only release.

Changed

• Fix readme example c7ec332
• Update shield URL e828000

v6.2.1: Fix matching :name* parameter

Compare Source

Fixed

• Fix invalid matching of :name* parameter (#​261) 762bc6b
• Compare delimiter string over regexp 86baef8

Added

• New example in documentation (#​256) ae9e576
• Update demo link (#​250) 77df638
• Update README encode example b39edd4

v6.2.0: Named Capturing Groups

Compare Source

Added

• Support named capturing groups for RegExps (#​225)

Fixed

• Update strict flag documentation (#​227)
• Ignore test files when bundling (#​220)

v6.1.0: Use /#? as Default Delimiter

Compare Source

Fixed

• Use /#? as default delimiter to avoid matching on query or fragment parameters
  • If you are matching non-paths (e.g. hostnames), you can adjust delimiter: '.'

v6.0.0: Custom Prefix and Suffix Groups

Compare Source

This release reverts the prefix behavior added in v3 back to the behavior seen in v2. For the most part, path matching is backward compatible with v2 with these enhancements:

1. Support for nested non-capturing groups in regexp, e.g. /(abc(?=d))
2. Support for custom prefix and suffix groups using /{abc(.*)def}
3. Tokens in an unexpected position will throw an error
   • Paths like /test(foo previously worked treating ( as a literal character, now it expects ( to be closed and is treated as a group
   • You can escape the character for the previous behavior, e.g. /test\(foo

Changed

• Revert using any character as prefix, support prefixes option to configure this (starts as /. which acts like every version since 0.x again)
• Add support for {} to capture prefix/suffix explicitly, enables custom use-cases like /:attr1{-:attr2}?

v5.0.0: Remove Default Encode URI Component

Compare Source

No changes to path rules since 3.x, except support for nested RegEx parts in 4.x.

Changed

• Rename RegexpOptions interface to TokensToRegexpOptions
• Remove normalizePathname from library, document solution in README
• Encode using identity function as default, not encodeURIComponent

v4.0.5: Decode URI

Compare Source

Removed

• Remove whitelist in favor of decodeURI (advanced behavior can happen outside path-to-regexp)

v4.0.4: Remove String#normalize

Compare Source

Fixed

• Remove usage of String.prototype.normalize to continue supporting IE

v4.0.3: Normalize Path Whitelist

Compare Source

Added

• Add normalize whitelist of characters (defaults to /%.-)

v4.0.2: Allow RegexpOptions in match

Compare Source

Fixed

• Allow RegexpOptions in match(...) function

v4.0.1: Fix Spelling of Regexp

Compare Source

Fixed

• Normalize regexp spelling across 4.x

v4.0.0: ES2015 Package for Bundlers

Compare Source

All path rules are backward compatible with 3.x, except for nested () and other RegEx special characters that were previously ignored.

Changed

• Export names have changed to support ES2015 modules in bundlers
• match does not default to decodeURIComponent

Added

• New normalizePathname utility for supporting unicode paths in libraries
• Support nested non-capturing groups within parameters
• Add tree-shaking (via ES2015 modules) for webpack and other bundlers

v3.3.0: Add backtracking protection

Compare Source

Fixed

• Add backtrack protection to 3.x release (#​321) d31670a

v3.2.0: Match Function

Compare Source

Added

• Add native match function to library

v3.1.0: Validate and sensitive options

Compare Source

• Add sensitive option for tokensToFunction (#​191)
• Add validate option to path functions (#​178)

v3.0.0

Compare Source

• Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
• Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

v2.4.0

Compare Source

• Support start option to disable anchoring from beginning of the string

v2.3.0

Compare Source

• Use delimiter when processing repeated matching groups (e.g. foo/bar has no prefix, but has a delimiter)

v2.2.1

Compare Source

• Allow empty string with end: false to match both relative and absolute paths

v2.2.0

Compare Source

• Pass token as second argument to encode option (e.g. encode(value, token))

v2.1.0

Compare Source

• Handle non-ending paths where the final character is a delimiter
  • E.g. /foo/ before required either /foo/ or /foo// to match in non-ending mode

v2.0.0

Compare Source

• New option! Ability to set endsWith to match paths like /test?query=string up to the query string
• New option! Set delimiters for specific characters to be treated as parameter prefixes (e.g. /:test)
• Remove isarray dependency
• Explicitly handle trailing delimiters instead of trimming them (e.g. /test/ is now treated as /test/ instead of /test when matching)
• Remove overloaded keys argument that accepted options
• Remove keys list attached to the RegExp output
• Remove asterisk functionality (it's a real pain to properly encode)
• Change tokensToFunction (e.g. compile) to accept an encode function for pretty encoding (e.g. pass your own implementation)

v1.9.0: Fix backtracking in 1.x

Compare Source

Fixed

• Add backtrack protection to 1.x release (#​320) 925ac8e
• Fix re.exec(&#​39;/test/route&#​39;) result (#​267) 32a14b0

v1.8.0: Backport token to function options

Compare Source

Added

• Backport TokensToFunctionOptions

v1.7.0

Compare Source

• Allow a delimiter option to be passed in with tokensToRegExp which will be used for "non-ending" token match situations

v1.6.0

Compare Source

• Populate RegExp.keys when using the tokensToRegExp method (making it consistent with the main export)
• Allow a delimiter option to be passed in with parse
• Updated TypeScript definition with Keys and Options updated

v1.5.3

Compare Source

• Add \\ to the ignore character group to avoid backtracking on mismatched parens

v1.5.2

Compare Source

• Escape \\ in string segments of regexp

v1.5.1

Compare Source

• Add index.d.ts to NPM package

v1.5.0

Compare Source

• Handle partial token segments (better)
• Allow compile to handle asterisk token segments

v1.4.0

Compare Source

• Handle RegExp unions in path matching groups

v1.3.0

Compare Source

• Clarify README language and named parameter token support
• Support advanced Closure Compiler with type annotations
• Add pretty paths options to compiled function output
• Add TypeScript definition to project
• Improved prefix handling with non-complete segment parameters (E.g. /:foo?-bar)

v1.2.1

Compare Source

• Encode values before validation with path compilation function
• More examples of using compilation in README

v1.2.0

Compare Source

• Add support for matching an asterisk (*) as an unnamed match everything group ((.*))

v1.1.1

Compare Source

• Expose methods for working with path tokens

v1.1.0

Compare Source

• Expose the parser implementation to consumers
• Implement a compiler function to generate valid strings
• Huge refactor of tests to be more DRY and cover new parse and compile functions
• Use chai in tests
• Add .editorconfig

v1.0.3

Compare Source

• Optimised function runtime
• Added files to package.json

v1.0.2

Compare Source

• Use Array.isArray shim
• Remove ES5 incompatible code
• Fixed repository path
• Added new readme badges

v1.0.1

Compare Source

• Ensure installation works correctly on 0.8

v1.0.0

Compare Source

• No more API changes

v0.2.5

Compare Source

• Allow keys parameter to be omitted

v0.2.4

Compare Source

• Code coverage badge
• Updated readme
• Attach keys to the generated regexp

v0.2.3

Compare Source

• Add MIT license

v0.2.2

Compare Source

• A passed in trailing slash in non-strict mode will become optional
• In non-end mode, the optional trailing slash will only match at the end

v0.2.1

Compare Source

• Fixed a major capturing group regexp regression

v0.2.0

Compare Source

• Improved support for arrays
• Improved support for regexps
• Better support for non-ending strict mode matches with a trailing slash
• Travis CI support
• Block using regexp special characters in the path
• Removed support for the asterisk to match all
• New support for parameter suffixes - *, + and ?
• Updated readme
• Provide delimiter information with keys array

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.