chore(deps): bump path-to-regexp and express in /docs/esm
Type: Pull Request
State: Open
![dependabot[bot]](https://github.com/dependabot.png){kind=small}
dependabot[bot]Association: Unknown
Comments: 5
(about 1 month ago)
(5 days ago)
javascript dependencies
Bumps path-to-regexp and express. These dependencies needed to be updated together.
Updates path-to-regexp from 0.1.7 to 0.1.13
Release notes
Sourced from path-to-regexp's releases.
0.1.13
Important
Full Changelog: https://github.com/pillarjs/path-to-regexp/compare/v0.1.12...v.0.1.13
Fix backtracking (again)
Fixed
- Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j)
https://github.com/pillarjs/path-to-regexp/compare/v0.1.11...v0.1.12
Error on bad input
Changed
- Add error on bad input values 8f09549
https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.11
Backtrack protection
Fixed
- Add backtrack protection to parameters 29b96b4
- This will break some edge cases but should improve performance
https://github.com/pillarjs/path-to-regexp/compare/v0.1.9...v0.1.10
Support non-lookahead regex output
Added
- Allow a non-lookahead regex (#312) c4272e4
https://github.com/component/path-to-regexp/compare/v0.1.8...v0.1.9
Support named matching groups in
RegExpAdded
- Add support for named matching groups (#301) 114f62d
https://github.com/pillarjs/path-to-regexp/compare/v0.1.7...v0.1.8
Commits
Maintainer changes
This version was pushed to npm by ulisesgascon, a new releaser for path-to-regexp since your current version.
Updates express from 4.18.2 to 4.22.1
Release notes
Sourced from express's releases.
v4.22.1
What's Changed
[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.
- Release: 4.22.1 by
@UlisesGasconin expressjs/express#6934Full Changelog: https://github.com/expressjs/express/compare/4.22.0...v4.22.1
4.22.0
Important: Security
- Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
What's Changed
- Refactor: improve readability by
@sazk07in expressjs/express#6190- ci: add support for Node.js@23.0 by
@UlisesGasconin expressjs/express#6080- Method functions with no path should error by
@wesleytoddin expressjs/express#5957- ci: updated github actions ci workflow by
@Phillip9587in expressjs/express#6323- ci: reorder
npm isteps to fix ci for older node versions by@Phillip9587in expressjs/express#6336- Backport: ci: add node.js 24 to test matrix by
@Phillip9587in expressjs/express#6506- chore(4.x): wider range for query test skip by
@jonchurchin expressjs/express#6513- use tilde notation for certain dependencies by
@UlisesGasconin expressjs/express#6905- deps: qs@6.14.0 by
@UlisesGasconin expressjs/express#6909- deps: use tilde notation for
qsby@Phillip9587in expressjs/express#6919- Release: 4.22.0 by
@UlisesGasconin expressjs/express#6921Full Changelog: https://github.com/expressjs/express/compare/4.21.2...4.22.0
4.21.2
What's Changed
- Add funding field (v4) by
@bjohansebasin expressjs/express#6065- deps: path-to-regexp@0.1.11 by
@blakeembreyin expressjs/express#5956- deps: bump path-to-regexp@0.1.12 by
@jonchurchin expressjs/express#6209- Release: 4.21.2 by
@UlisesGasconin expressjs/express#6094Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2
4.21.1
What's Changed
- Backport a fix for CVE-2024-47764 to the 4.x branch by
@joshbukerin expressjs/express#6029- Release: 4.21.1 by
@UlisesGasconin expressjs/express#6031Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1
... (truncated)
Changelog
Sourced from express's changelog.
4.22.1 / 2025-12-01
- Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
4.22.0 / 2025-12-01
- Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
- deps: use tilde notation for dependencies
- deps: qs@6.14.0
4.21.2 / 2024-11-06
- deps: path-to-regexp@0.1.12
- Fix backtracking protection
- deps: path-to-regexp@0.1.11
- Throws an error on invalid path values
4.21.1 / 2024-10-08
- Backported a fix for CVE-2024-47764
4.21.0 / 2024-09-11
- Deprecate
res.location("back")andres.redirect("back")magic string- deps: serve-static@1.16.2
- includes send@0.19.0
- deps: finalhandler@1.3.1
- deps: qs@6.13.0
4.20.0 / 2024-09-10
- deps: serve-static@0.16.0
- Remove link renderization in html while redirecting
- deps: send@0.19.0
- Remove link renderization in html while redirecting
- deps: body-parser@0.6.0
- add
depthoption to customize the depth level in the parser- IMPORTANT: The default
depthlevel for parsing URL-encoded data is now32(previously wasInfinity)- Remove link renderization in html while using
res.redirect- deps: path-to-regexp@0.1.10
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
- deps: encodeurl@~2.0.0
- Removes encoding of
\,|, and^to align better with URL spec- Deprecate passing
options.maxAgeandoptions.expirestores.clearCookie
... (truncated)
Commits
12fae144.22.15ddf311Revert "sec: security patch for CVE-2024-51999"49744ab4.22.0 (#6921)6e97452sec: security patch for CVE-2024-519996a23d34deps: use tilde notation forqs(#6919)8c12cdfdeps: qs@6.14.0 (#6909)7fea74fdeps: use tilde notation for certain dependencies (#6905)dac7a04chore: wider range for query test skip (#6513)997919bci: add node.js 24 to test matrix (#6506)36fb59cfix(ci): reordernpm isteps to fix ci for older node versions (#6336)- Additional commits viewable in compare view
Maintainer changes
This version was pushed to npm by jonchurch, a new releaser for express since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Package Dependencies
path-to-regexp
npm
0.1.7 → 0.1.13
Patch
/docs/esm
Security Advisories
path-to-regexp outputs backtracking regular expressions
cookie accepts cookie name, path, and domain with out of bounds characters
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Technical Details
| ID: | 15690927 |
| UUID: | 4402990086 |
| Node ID: | PR_kwDOG5lbN87ZW3PQ |
| Host: | GitHub |
| Repository: | OpenFunction/functions-framework-nodejs |