Update path-to-regexp to 8.1.0 (fix CVE-2024-45296) (#226)

* Update path-to-regexp package to 8.1.0 * Use updated API of pathToRegexp * Fix prettier * Use new path-to-regexp wildcard syntax when parsing url * Add a small comment that hints the reader at what the strange syntax is about --------- Co-authored-by: Carl-Erik Kopseng <carlerik@gmail.com>
sinonjs · Sep 10, 2024 · 764ae1a · 764ae1a
1 parent da6f09c
commit 764ae1a
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 11 deletions.
diff --git a/lib/fake-server/index.js b/lib/fake-server/index.js
@@ -250,8 +250,10 @@ var fakeServer = {
                 url = url.replace("://", "\\://");
             }
             if (/\*/.test(url)) {
+                // Uses the new syntax for repeating parameters in path-to-regexp,
+                // see https://github.com/pillarjs/path-to-regexp#unexpected--or-
                 // eslint-disable-next-line no-param-reassign
-                url = url.replace(/\/\*/g, "/(.*)");
+                url = url.replace(/\/\*/g, "/*path");
             }
 
             if (this.legacyRoutes) {
@@ -261,11 +263,12 @@ var fakeServer = {
                 }
             }
         }
-
         push.call(this.responses, {
             method: method,
             url:
-                typeof url === "string" && url !== "" ? pathToRegexp(url) : url,
+                typeof url === "string" && url !== ""
+                    ? pathToRegexp(url).regexp
+                    : url,
             response: typeof body === "function" ? body : responseArray(body),
         });
     },

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -67,7 +67,7 @@
     "@sinonjs/fake-timers": "^11.2.2",
     "@sinonjs/text-encoding": "^0.7.2",
     "just-extend": "^6.2.0",
-    "path-to-regexp": "^6.2.1"
+    "path-to-regexp": "^8.1.0"
   },
   "lint-staged": {
     "*.{js,css,md}": "prettier --check",