Security issue in dependency module nise

[pascalverlinden]

Describe the bug

sinon 18.0.0 seems to depend on nise ^6.0.0 which in turn uses path-to-regexp 6.2.2. which has a security issue.
Trying to fix this with npm audit fix --force installs sinon@2.4.1 which in turn uses a version of path-to-regexp with the same vulnerability. Running audit fix again tries to fix it by installing sinon 18.0.0 so you are back where it started.

To Reproduce
Steps to reproduce the behavior:

use a package.json with a dependency on sinon 18.0.0
npm install
npm audit should output something like:

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install sinon@2.4.1, which is a breaking change
node_modules/nise/node_modules/path-to-regexp
  nise  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/nise
    sinon  >=3.0.0
    Depends on vulnerable versions of nise
    node_modules/sinon

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Context (please complete the following information):

- Sinon version : 18.0.0
- Runtime: node 20.17.0, docker container running Debian GNU/Linux 12 (bookworm)

[allanpoppe2]

+1

[fatso83]

Already has a PR to fix this in nise: sinonjs/nise#226 (review)

Just awaiting some feedback before merging. Once done, I'll update the lock files for Sinon.

[fatso83]

Closed by publishing Sinon 18.0.1