-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Sippy lint is failing on a CVE in path-to-regexp (see below). It doesn't appear there's a compatible upgrade path without updating react-router to v6. It's unclear if react-router v5 will backport any fix to allow using the new path-to-regexp, it's branch hasn't been updated in a year.
The process to upgrade is rather involved:
https://reactrouter.com/en/main/upgrading/v5#upgrade-to-react-router-v51
General steps are:
- Run `npm install react-router-dom@latest` to upgrade react-router
- Fix the Sippy code as per the above steps
- `npm audit fix --production` will show the vulnerabilities are fixed
npm warn config production Use `--omit=dev` instead.
# npm audit reportpath-to-regexp 0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install react-router-dom@6.26.2, which is a breaking change
node_modules/react-router/node_modules/path-to-regexp
react-router 4.0.0-0 - 5.3.4
Depends on vulnerable versions of path-to-regexp
node_modules/react-router
react-router-dom 4.0.0-beta.1 - 5.3.4
Depends on vulnerable versions of react-router
node_modules/react-router-dom3 high severity vulnerabilities