fix(deps): update dependency path-to-regexp to v0.1.12 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
path-to-regexp	0.1.10 -> 0.1.12

Reviewer is responsible for dependency update. Ensure adequate automated or manual testing is performed before merge.

GitHub Vulnerability Alerts

CVE-2024-52798

Impact

The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

• GHSA-9wv6-86v2-598j
• https://blakeembrey.com/posts/2024-09-web-redos/

---

Release Notes

pillarjs/path-to-regexp (path-to-regexp)

v0.1.12: Fix backtracking (again)

Compare Source

Fixed

• Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

v0.1.11: Error on bad input

Compare Source

Changed

• Add error on bad input values 8f09549

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.