Skip to content

Update path-to-regexp to 0.1.13 to fix CVE-2026-4867#7135

Open
baryman wants to merge 1 commit intoexpressjs:4.xfrom
baryman:makkuznetsov/update-path-regexp
Open

Update path-to-regexp to 0.1.13 to fix CVE-2026-4867#7135
baryman wants to merge 1 commit intoexpressjs:4.xfrom
baryman:makkuznetsov/update-path-regexp

Conversation

@baryman
Copy link
Copy Markdown

@baryman baryman commented Mar 30, 2026
edited
Loading

Description

To keep projects on version 4.x, you need to update the path-to-regexp package to version 0.1.13 to fix the CVE-2026-4867 vulnerability.

@baryman baryman changed the title Update path-to-regexp to 0.1.13 because CVE-2026-4867 Update path-to-regexp to 0.1.13 to fix CVE-2026-4867 Mar 30, 2026
krzysdz
krzysdz approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@krzysdz krzysdz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI ~0.1.12 matches all 0.1.x versions >= 0.1.12. Running npm audit fix, npm update in existing project or npm install in a new one, will install the updated version of path-to-regexp, without requiring a new Express version - #6905.

@baryman
Copy link
Copy Markdown
Author

baryman commented Mar 30, 2026
edited
Loading

FYI ~0.1.12 matches all 0.1.x versions >= 0.1.12. Running npm audit fix, npm update in existing project or npm install in a new one, will install the updated version of path-to-regexp, without requiring a new Express version - #6905.

Perfect. Can I close PR ?

@krzysdz krzysdz added 4.x deps dependencies Pull requests that update a dependency file labels Mar 30, 2026
bjohansebas
bjohansebas approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@bjohansebas bjohansebas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know, there won’t be a release anytime soon, but you can update your application yourself with npm update path-to-regexp. I merged this so that if a release does happen, applications will get the latest version of that package—but as I said, it won’t be anytime soon.

@bjohansebas
Copy link
Copy Markdown
Member

bjohansebas commented Mar 30, 2026

Could you rebase the branch so the CI passes, please?

@krzysdz
Copy link
Copy Markdown
Contributor

krzysdz commented Mar 30, 2026
edited
Loading

Could you rebase the branch so the CI passes, please?

This test is broken with current 4.x too. It's an unrelated bug with body-parser (expressjs/body-parser#715).

This was referenced Mar 30, 2026
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjohansebas bjohansebas bjohansebas approved these changes

+1 more reviewer

@krzysdz krzysdz krzysdz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

4.x dependencies Pull requests that update a dependency file deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@baryman @bjohansebas @krzysdz