Skip to content

fix(deps): patch path-to-regexp and undici vulnerabilities#2857

Merged
John Kennedy (jkennedyvz) merged 1 commit into
mainfrom
fix/patch-path-to-regexp-undici-vulns
Feb 28, 2026
Merged

fix(deps): patch path-to-regexp and undici vulnerabilities#2857
John Kennedy (jkennedyvz) merged 1 commit into
mainfrom
fix/patch-path-to-regexp-undici-vulns

Conversation

@jkennedyvz

Copy link
Copy Markdown
Contributor

Summary

  • Add pnpm overrides to resolve the remaining 4 open Dependabot security alerts in reference/pnpm-lock.yaml
  • path-to-regexp >=4.0.0 <6.3.06.3.0 — fixes high-severity ReDoS via backtracking regular expressions (#1)
  • undici >=4.5.0 <5.29.05.29.0 — fixes 3 alerts: insufficiently random values (#2), unbounded decompression chain (#9), and bad certificate DoS (#4)

Test plan

  • Verified vulnerable versions (path-to-regexp@6.1.0, undici@5.28.4) are no longer in lockfile
  • Verified patched versions (path-to-regexp@6.3.0, undici@5.29.0) are present
  • pnpm install succeeds without errors

🤖 Generated with Claude Code

Add pnpm overrides to resolve remaining Dependabot alerts:
- path-to-regexp >=4.0.0 <6.3.0 → 6.3.0 (ReDoS via backtracking regexes)
- undici >=4.5.0 <5.29.0 → 5.29.0 (insufficiently random values, unbounded decompression, bad certificate DoS)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

Mintlify preview ID generated: preview-fixpat-1772320755-1d9b022

@jkennedyvz
John Kennedy (jkennedyvz) merged commit 13ecdb9 into main Feb 28, 2026
16 checks passed
@jkennedyvz
John Kennedy (jkennedyvz) deleted the fix/patch-path-to-regexp-undici-vulns branch February 28, 2026 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant