Apply backtracking protection to version 1.8.0 due to "react-router-dom@5.3.4"

[dotnet-fizzyy]

Hi all!

Currently Git security bot raised an alert that path-to-regexp dependency with version ^1.7.0 is vulnerable in react-router-dom@5.3.4 (latest released react-router-dom) library.

Not really sure that react-router-dom with 5 version will be patched since team is completely focused on a new 6 version. Resolution with 8.0.0 in package.json does not help and breaks application on start with internal module error.

Would be perfect if this vulnerability will be fixed in terms of 1.x.x package version since there is no chance to migrate to latest react-router-dom release on current moment in project I am working on.

Appreciate your attention!
Thanks!

[jackcurtis-te]

I was just getting this too but I set my resolution to be version 0.1.10 and it seems fine now.

[blakeembrey]

It's extremely unlikely you are affected, see GHSA-9wv6-86v2-598j for the attack vector. It's also a non-issue as an attack vector in a browser, you'd just be DoSing your own browser.

Unfortunately I've spent months on this already and I don't have the income to support myself continuing to work on every release. If you would like to sponsor work on old versions that might be a possibility.

[blakeembrey]

There is a 1.x branch in case you want to try porting the patch and opening a PR. The patch is roughly this: 29b96b4. Unfortunately it is also a breaking change, it's not possible to apply the fix without breaking something small.

[stbenjam]

react-router-dom v5 hasn't seen any updates in 2 years. While they claim there's no end-of-life, it seems likely it'll continue to rot. We're going to just move to v6, but since it's a lot of effort my app seems to work OK forcing the override in package.json for now.

  "overrides": {
    "path-to-regexp": "^0.1.10"
  },

Edit: this didn't work btw, one of our pages broke. We may just ignore this CVE, but npm audit doesn't have any such feature out of the box, I'll have to migrate to some third party tool.

[blakeembrey]

I have ported a fix into the 1.9.0 release and released it, it may break in extremely minor ways (e.g. /:a-:b with input /1-2-3 now matches 1-2 and 3, before 1 and 2-3) but neither is likely to occur in normal usage of the library.

[stbenjam]

Thank you so much @blakeembrey ❤️

[fengmk2]

@blakeembrey Thanks a lot!

[dotnet-fizzyy]

@blakeembrey Appreciate your contribution and support, works perfectly, thanks a lot! 🥇