[Security] Bump path-to-regexp and @vaadin/router

Bumps path-to-regexp to 8.1.0 and updates ancestor dependency @vaadin/router. These dependencies need to be updated together.

Updates path-to-regexp from 2.4.0 to 8.1.0 This update includes a security fix.

Vulnerabilities fixed

path-to-regexp outputs backtracking regular expressions

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

• 0.1.10
• 1.9.0
• 3.3.0
• 6.3.0

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

... (truncated)

Patched versions: 6.3.0; 8.0.0; 3.3.0; 1.9.0; 0.1.10 Affected versions: >= 4.0.0, = 0.2.0, < 1.9.0; < 0.1.10

Release notes

Sourced from path-to-regexp's releases.

v8.1.0

Added

• Adds pathToRegexp method back for generating a regex
• Adds stringify method for converting TokenData into a path string

https://github.com/pillarjs/path-to-regexp/compare/v8.0.0...v8.1.0

Simpler API

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

• Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

• Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
• Parameter names follow JS identifier rules and allow unicode characters

Added

• Parameter names can now be quoted, e.g. :"foo-bar"
• Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

• Removes loose mode
• Removes regular expression overrides of parameters

https://github.com/pillarjs/path-to-regexp/compare/v7.1.0...v8.0.0

Support array inputs (again)

Added

• Support array inputs for match and pathToRegexp 3fdd88f

https://github.com/pillarjs/path-to-regexp/compare/v7.1.0...v7.2.0

Strict mode

Added

• Adds a strict option to detect potential ReDOS issues

Fixed

• Fixes separator to default to suffix + prefix when not specified
• Allows separator to be undefined in TokenData

... (truncated)

Changelog

Sourced from path-to-regexp's changelog.

Moved to GitHub Releases

3.0.0 / 2019-01-13

• Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
• Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

Commits

• c302644 8.1.0
• 7b4598c Document stringify method
• d6150f5 Add pathToRegexp method back
• a43e545 Move delimiter option to each method
• c909d1f Stringify names with unsafe text chars after
• e537daa Add a stringify API
• ed1095e 8.0.0
• 60f2121 Rewrite and simplify API
• 74f97b5 Create SECURITY.md
• fb4d11d Remove matches from tests
• Additional commits viewable in compare view

Updates @vaadin/router from 1.7.5 to 2.0.0-rc2

Commits

• See full diff in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts