Explicitly add a versioned dependency for path-to-regexp #2954

Sanjay-Ganeshan · 2024-09-16T15:26:18Z

We depend on path-to-regexp, through the webserver framework Express, which I think is coming from webpack or docusaurus.

Versions of path-to-regexp 0.2.0 < version < 1.9.0 have a security vulnerability.
By explicitly specifying the version of path-to-regexp, yarn chooses the right versions for everything else.

Motivation

Address a security vulnerability

Have you read the Contributing Guidelines on pull requests?

Yes

Test Plan

Download nvm / node as needed (tested on node JS 20, Mac OS)

nvm use 20
npm install -g yarn

Then, install the website:

cd website
yarn

Last but not least, start the website on a local server, and browse it:

yarn start

It should work normally.

Related Issues and PRs

None

…rough Express. The version specified addresses security vulnerabilities.

Explicitly add a dependency for path-to-regexp, which we depend on th…

d520d3e

…rough Express. The version specified addresses security vulnerabilities.

facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Sep 16, 2024

jesszzzz approved these changes Sep 16, 2024

View reviewed changes

jesszzzz merged commit ce692bd into main Sep 16, 2024
61 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Explicitly add a versioned dependency for path-to-regexp #2954

Explicitly add a versioned dependency for path-to-regexp #2954

Sanjay-Ganeshan commented Sep 16, 2024

Explicitly add a versioned dependency for path-to-regexp #2954

Explicitly add a versioned dependency for path-to-regexp #2954

Conversation

Sanjay-Ganeshan commented Sep 16, 2024

Motivation

Have you read the Contributing Guidelines on pull requests?

Test Plan

Related Issues and PRs