Environment

• Operating System: Windows_NT
• Node Version: v22.3.0
• Nuxt Version: 3.13.1
• CLI Version: 3.13.1
• Nitro Version: 2.9.7
• Package Manager: [email protected]
• Builder: -
• User Config: compatibilityDate, devtools, vite, modules
• Runtime Modules: @nuxtjs/[email protected], @nuxt/[email protected]
• Build Modules: -

Reproduction

Steps to Reproduce:

1. Install @nuxtjs/tailwindcss in a Nuxt project.
2. Run npm audit.
3. Observe the vulnerability warning related to path-to-regexp

Describe the bug

I’m encountering a security vulnerability related to the path-to-regexp package. I have identified that the version of path-to-regexp used in the @nuxtjs/tailwindcss package is affected by a high-severity security issue. Here are the details:

Affected Package: path-to-regexp
Vulnerable Versions: < 0.1.10, >= 0.2.0, < 1.9.0, >= 4.0.0, < 8.0.0, >= 2.0.0, < 3.3.0
Patched Version: 8.0.0

Additional context

The @nuxtjs/tailwindcss package includes a dependency on tailwind-config-viewer, which in turn relies on @koa/router. The @koa/router package depends on an outdated version of path-to-regexp, which has a known vulnerability.

When running npm audit, the following warning is shown:

path-to-regexp  4.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j

Additional Info

I’ve tried using the overrides field in my package.json to force the update to 8.0.0

"overrides": {
    "@koa/router": {
      "path-to-regexp": "8.0.0"
    },
    "@nuxtjs/tailwindcss": {
      "tailwind-config-viewer": "*"
    }
  }

but this led to runtime errors as shown:
ERROR [unhandledRejection] pathToRegexp is not a function

Logs

No response