Description
openedon Sep 12, 2024
Environment
- Operating System: Windows_NT
- Node Version: v22.3.0
- Nuxt Version: 3.13.1
- CLI Version: 3.13.1
- Nitro Version: 2.9.7
- Package Manager: [email protected]
- Builder: -
- User Config: compatibilityDate, devtools, vite, modules
- Runtime Modules: @nuxtjs/[email protected], @nuxt/[email protected]
- Build Modules: -
Reproduction
Steps to Reproduce:
- Install @nuxtjs/tailwindcss in a Nuxt project.
- Run npm audit.
- Observe the vulnerability warning related to path-to-regexp
Describe the bug
I’m encountering a security vulnerability related to the path-to-regexp package. I have identified that the version of path-to-regexp used in the @nuxtjs/tailwindcss package is affected by a high-severity security issue. Here are the details:
Affected Package: path-to-regexp
Vulnerable Versions: < 0.1.10, >= 0.2.0, < 1.9.0, >= 4.0.0, < 8.0.0, >= 2.0.0, < 3.3.0
Patched Version: 8.0.0
Additional context
The @nuxtjs/tailwindcss
package includes a dependency on tailwind-config-viewer
, which in turn relies on @koa/router.
The @koa/router
package depends on an outdated version of path-to-regexp
, which has a known vulnerability.
When running npm audit
, the following warning is shown:
path-to-regexp 4.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
Additional Info
I’ve tried using the overrides field in my package.json to force the update to 8.0.0
"overrides": {
"@koa/router": {
"path-to-regexp": "8.0.0"
},
"@nuxtjs/tailwindcss": {
"tailwind-config-viewer": "*"
}
}
but this led to runtime errors as shown:
ERROR [unhandledRejection] pathToRegexp is not a function
Logs
No response