Skip to content

Commit af5a52a

Browse files
JanPokornyclaude
JanPokorny
and
claude
authored
fix: patch CVE-2024-45296 path-to-regexp ReDoS via pnpm override (#2308)
Add a pnpm workspace override to force path-to-regexp@<0.1.10 to 0.1.10, the patched version that adds backtrack protection. The vulnerable 0.1.7 was pulled in transitively via mintlify -> @mintlify/previewing -> express@4. The 8.3.0 version used by express@5 is unaffected. Fixes GHSA-9wv6-86v2-598j (Dependabot alert #61) https://claude.ai/code/session_01ESE89rwkpWRsW8VfhrrEVu Signed-off-by: Jan Pokorný <JenomPokorny@gmail.com> Co-authored-by: Claude <noreply@anthropic.com>
1 parent 37e3166 commit af5a52a

File tree

2 files changed

+18
-7
lines changed

2 files changed

+18
-7
lines changed

pnpm-lock.yaml

Lines changed: 13 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
overrides:
2+
# Fix CVE-2024-45296 / GHSA-9wv6-86v2-598j: path-to-regexp ReDoS vulnerability
3+
# Transitive via mintlify -> @mintlify/previewing -> express@4.18.2
4+
"path-to-regexp@<0.1.10": "0.1.10"
5+
16
packages:
27
- apps/agentstack-ui
38
- apps/beeai-web

0 commit comments

Comments
 (0)