chore: fix path-to-regexp vulnerabilities#475
Merged
Conversation
github-actions
bot
added
size/XS
There was a problem hiding this comment.
Pull request overview
Updates pnpm dependency overrides to remediate reported path-to-regexp CVEs while keeping MSW’s path-to-regexp@6.x in place (per PR description).
Changes:
- Add
pnpm.overridesparent-selector rules to force patchedpath-to-regexpversions forexpress,@koa/router, androuter. - Regenerate
pnpm-lock.yamlto reflectpath-to-regexpupgrades (0.1.13,8.4.0) in the resolved dependency graph.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Adds pnpm override rules targeting transitive path-to-regexp dependencies to address vulnerabilities. |
| pnpm-lock.yaml | Updates lockfile overrides and resolved versions for path-to-regexp to match the new override constraints. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
peppescg
force-pushed
the
chore/fix-path-to-regexp-vulns
branch
from
39f4255 to
8beee29
Compare
github-actions
bot
added
size/L
Pin path-to-regexp to fixed versions to address: - GHSA-j3q9-mxjg-w52f / GHSA-27v5-c462-wpq7 (High/Medium) via @koa/router and router → path-to-regexp 8.3.0 → 8.4.0 - GHSA-37ch-88jc-xwx2 (High) via express@4 → path-to-regexp 0.1.12 → 0.1.13 Use parent-selector overrides to avoid bumping MSW's path-to-regexp@6.x, which would break test mocking. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prevent Renovate from bumping pnpm-lock.yaml directly; only package.json version ranges should be updated. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use rangeStrategy: bump so Renovate updates version ranges in package.json only, without dedicated lock file maintenance PRs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
peppescg
force-pushed
the
chore/fix-path-to-regexp-vulns
branch
from
8beee29 to
92076c4
Compare
github-actions
bot
added
size/XL
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Large PR Detected
This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.
How to unblock this PR:
Add a section to your PR description with the following format:
## Large PR Justification
[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformationAlternative:
Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.
See our Contributing Guidelines for more details on the pull request process.
This review will be automatically dismissed once you add the justification section.
Replace parent-selector overrides with version-range selectors, matching the pattern used in toolhive-studio. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
bot
added
size/XL
samuv
approved these changes
Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix 3 Grype vulnerability findings via
pnpm overrideswith parent-selector targeting:path-to-regexp(via@koa/router)path-to-regexp(via@koa/router)path-to-regexp(viaexpress@4)Parent-selector overrides (
@koa/router>path-to-regexp,router>path-to-regexp,express>path-to-regexp) are used intentionally to avoid bumping MSW's internalpath-to-regexp@6.x, which would break test mocking.Test plan
grype .reports "No vulnerabilities found"pnpm test— 194/194 tests pass🤖 Generated with Claude Code