[Security] Bump path-to-regexp from 1.8.0 to 1.9.0

Bumps path-to-regexp from 1.8.0 to 1.9.0. This update includes a security fix.

Vulnerabilities fixed

path-to-regexp outputs backtracking regular expressions

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

• 0.1.10
• 1.9.0
• 3.3.0

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for this library and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

... (truncated)

Patched versions: 3.3.0; 8.0.0; 1.9.0; 0.1.10 Affected versions: >= 2.0.0, = 0.2.0, < 1.9.0; < 0.1.10

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking in 1.x

Fixed

• Add backtrack protection to 1.x release (#320) 925ac8e
• Fix re.exec(&[#39](https://github.com/pillarjs/path-to-regexp/issues/39);/test/route&[#39](https://github.com/pillarjs/path-to-regexp/issues/39);) result (#267) 32a14b0

https://github.com/pillarjs/path-to-regexp/compare/v1.8.0...v1.9.0

Commits

• c75eb10 1.9.0
• 925ac8e Add backtrack protection to 1.x release (#320)
• 32a14b0 Fix re.exec('/test/route') result (#267)
• See full diff in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

added dependencies javascript security labels

added severity:high label