Update path-to-regexp to 8.1.0 (fix CVE-2024-45296) (#226)

* Update path-to-regexp package to 8.1.0 * Use updated API of pathToRegexp * Fix prettier * Use new path-to-regexp wildcard syntax when parsing url * Add a small comment that hints the reader at what the strange syntax is about --------- Co-authored-by: Carl-Erik Kopseng <[email protected]>
sinonjs · Sep 10, 2024 · 764ae1a · 764ae1a
1 parent da6f09c
commit 764ae1a
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 11 deletions.
diff --git a/lib/fake-server/index.js b/lib/fake-server/index.js
@@ -250,8 +250,10 @@ var fakeServer = {
  url = url.replace("://", "\\://");
  }
  if (/\*/.test(url)) {
+ // Uses the new syntax for repeating parameters in path-to-regexp,
+ // see https://github.com/pillarjs/path-to-regexp#unexpected--or-
  // eslint-disable-next-line no-param-reassign
- url = url.replace(/\/\*/g, "/(.*)");
+ url = url.replace(/\/\*/g, "/*path");
  }
 
  if (this.legacyRoutes) {
@@ -261,11 +263,12 @@ var fakeServer = {
  }
  }
  }
-
  push.call(this.responses, {
  method: method,
  url:
- typeof url === "string" && url !== "" ? pathToRegexp(url) : url,
+ typeof url === "string" && url !== ""
+ ? pathToRegexp(url).regexp
+ : url,
  response: typeof body === "function" ? body : responseArray(body),
  });
  },

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -67,7 +67,7 @@
  "@sinonjs/fake-timers": "^11.2.2",
  "@sinonjs/text-encoding": "^0.7.2",
  "just-extend": "^6.2.0",
- "path-to-regexp": "^6.2.1"
+ "path-to-regexp": "^8.1.0"
  },
  "lint-staged": {
  "*.{js,css,md}": "prettier --check",