Move to a semver range for path-to-regexp dependency to address future Dependabot alerts

[hashtagchris]

path-to-regexp has been patched in the past, and may be patched again the future. Could Gatsby switch to a semver range so Dependabot security alerts can be resolved immediately following a path-to-regexp release, without waiting for a new Gatsby release?

Was the semver range caret left off because a <1.0.0 version is used? If so, could ^1.9.0 or ^8.2.0 be used instead?

gatsby/packages/gatsby/package.json

Line 139 in aa403a4

"path-to-regexp": "0.1.12",

Or was the caret left off because express 4.x doesn't use a caret (ref), and gatsby has a dependency on express? Based on tags, [email protected] is reserved for express v4 compatibility.

Related

• High severity Dependabot alert in the Gatsby dependency 'path-to-regexp' #39088
• GHSA-9wv6-86v2-598j
• GHSA-rhx6-c78j-4q9w
• chore(deps): bump path-to-regexp from 0.1.10 to 0.1.12 in /packages/gatsby #39179 (no Gatsby release with this change yet)