Vulnerable dependency version that is 12 years old: path-to-regexp

[Davo00]

Environment information

Version:
4.22.1

Platform:
all platforms

Node.js version:

22.x (irrelevant)

Any other relevant information:
https://security.snyk.io/package/npm/path-to-regexp
https://www.npmjs.com/package/path-to-regexp?activeTab=versions

What steps will reproduce the bug?

running npm audit

[krzysdz]

I'm not sure what you mean. Express 4 uses path-to-regexp versions 0.1.x and Express 4.22.1 specifies path-to-regexp version as ~0.1.12 (#7135), which should install 0.1.13 that was released 5 days ago.

The Snyk page shows that 0.1.13 is not known to be affected by any vulnerabilities. The description on that page says Published: 13 years ago, but also Last updated: 10 hours ago.

If you have an older version installed, please run npm update path-to-regexp or npm audit fix. Fresh installs (without node_modules) should also install path-to-regexp@0.1.13 on npm install. The official blog post also suggests running npm update path-to-regexp.

[bjohansebas]

Another day, another scanner reports.

It looks like they’ve already fixed it on the Snyk side, if you update your package-lock, you’ll get the update

[Davo00]

Thanks @krzysdz, did not realize thath the 0.x version of path-to-regexp still receives updates.