chore(deps): update dependency path-to-regexp to v8

[thomhurst]

This PR contains the following updates:

Package	Type	Update	Change
path-to-regexp	resolutions	major	1.9.0 → 8.4.2

---

Release Notes

pillarjs/path-to-regexp (path-to-regexp)

v8.4.2

Compare Source

Fixed

• Error on trailing backslash (#​434) 9a78879

Performance

• Minimize array allocations (#​437) 937c02d
• Improve compile performance (#​436) 57247e6
  • Should improve compilation performance by ~25%
• Remove internal tokenization during parse (#​435) 5844988
  • Should improve parse performance by ~20%

Bundle size to 1.93 kB, from 1.97 kB.

---

v8.4.1

Compare Source

Fixed

• Remove trie deduplication (#​431) 6bc8e84
  • Using a trie required non-greedy matching, which regressed wildcards in non-ending mode by matching them up until the first match. For example:
    • /*foo with /a/b = /a
    • /*foo.htmlwith /a/b.html/c.html = /a/b.html
• Allow backtrack handling to match itself (#​427) 5bcd30b
  • When backtracking was introduced, it rejected matching things like /:"a"_:"b" against /foo__. This makes intuitive sense because the second parameter is not going to backtrack on _ anymore, but it's somewhat unexpected since there's no reason it shouldn't match the second _.

---

v8.4.0

Compare Source

Important

• Fix CVE-2026-4926 (GHSA-j3q9-mxjg-w52f)
• Fix CVE-2026-4923 (GHSA-27v5-c462-wpq7)

Fixed

• Restricts wildcard backtracking when using more than 1 in a path (#​421)

Changed

• Dedupes regex prefixes (#​422)
  • This will result in shorter regular expressions for some cases using optional groups
• Rejects large optional route combinations (#​424)
  • When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes

v8.3.0

Compare Source

Changed

• Add custom error class (#​398) 2a7f2a4
• Allow plain objects for TokenData (#​391) 687a9bb
• Escape text should escape backslash (#​390) a4a8552
• Improved error messages and stack size (#​363) a6bdf40

Other

• Minifying the parser
  • PR (#​401) 9df2448
  • PR (#​395) 4a91505
  • Shaving some bytes d63f44b
  • Remove optional operator 973d15c

v8.2.0

Compare Source

Fixed

• Allowing path-to-regexp to run on older browsers by targeting ES2015
  • Target ES2015 5969033
    • Also saved 0.22kb (10%!) by removing the private class field down level
  • Remove s flag from regexp 51dbd45

v8.1.0

Compare Source

Added

• Adds pathToRegexp method back for generating a regex
• Adds stringify method for converting TokenData into a path string

v8.0.0: Simpler API

Compare Source

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

• Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

• Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
• Parameter names follow JS identifier rules and allow unicode characters

Added

• Parameter names can now be quoted, e.g. :"foo-bar"
• Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

• Removes loose mode
• Removes regular expression overrides of parameters

v7.2.0: Support array inputs (again)

Compare Source

Added

• Support array inputs for match and pathToRegexp 3fdd88f

v7.1.0: Strict mode

Compare Source

Added

• Adds a strict option to detect potential ReDOS issues

Fixed

• Fixes separator to default to suffix + prefix when not specified
• Allows separator to be undefined in TokenData
  • This is only relevant if you are building TokenData manually, previously parse filled it in automatically

Comments

• I highly recommend enabling strict: true and I'm probably releasing a V8 with it enabled by default ASAP as a necessary security mitigation

v7.0.0: Wildcard, unicode, and modifier changes

Compare Source

Hi all! There's a few major breaking changes in this release so read carefully.

Breaking changes:

• The function returned by compile only accepts strings as values (i.e. no numbers, use String(value) before compiling a path)
  • For repeated values, when encode !== false, it must be an array of strings
• Parameter names can contain all unicode identifier characters (defined as regex \p{XID_Continue}).
• Modifiers (?, *, +) must be used after a param explicitly wrapped in {}
  • No more implied prefix of / or .
• No support for arrays or regexes as inputs
• The wildcard (standalone *) has been added back and matches Express.js expected behavior
• Removed endsWith option
• Renamed strict: true to trailing: false
• Reserved ;, ,, !, and @ for future use-cases
• Removed tokensToRegexp, tokensToFunction and regexpToFunction in favor of simplifying exports
• Enable a "loose" mode by default, so / can be repeated multiple times in a matched path (i.e. /foo works like //foo, etc)
• encode and decode no longer receive the token as the second parameter
• Removed the ESM + CommonJS dual package in favor of only one CommonJS supported export
• Minimum JS support for ES2020 (previous ES2015)
• Encode defaults to encodeURIComponent and decode defaults to decodeURIComponent

Added:

• Adds encodePath to fix an issue around encode being used for both path and parameters (the path and parameter should be encoded slightly differently)
• Adds loose as an option to support arbitrarily matching the delimiter in paths, e.g. foo/bar and foo///bar should work the same
• Allow encode and decode to be set to false which skips all processing of the parameters input/output
• All remaining methods support TokenData (exported, returned by parse) as input
  • This should be useful if you are programmatically building paths to match or want to avoid parsing multiple times

Requests for feedback:

• Requiring {} is an obvious drawback but I'm seeking feedback on whether it helps make path behavior clearer
  • Related: Removing / and . as implicit prefixes
• Removing array and regex support is to reduce the overall package size for things many users don't need
• Unicode IDs are added to align more closely with browser URLPattern behavior, which uses JS identifiers

v6.3.0: Fix backtracking in 6.x

Compare Source

Fixed

• Add backtrack protection to 6.x (#​324) f1253b4

v6.2.2: Updated README

Compare Source

No API changes. Documentation only release.

Changed

• Fix readme example c7ec332
• Update shield URL e828000

v6.2.1: Fix matching :name* parameter

Compare Source

Fixed

• Fix invalid matching of :name* parameter (#​261) 762bc6b
• Compare delimiter string over regexp 86baef8

Added

• New example in documentation (#​256) ae9e576
• Update demo link (#​250) 77df638
• Update README encode example b39edd4

v6.2.0: Named Capturing Groups

Compare Source

Added

• Support named capturing groups for RegExps (#​225)

Fixed

• Update strict flag documentation (#​227)
• Ignore test files when bundling (#​220)

v6.1.0: Use /#? as Default Delimiter

Compare Source

Fixed

• Use /#? as default delimiter to avoid matching on query or fragment parameters
  • If you are matching non-paths (e.g. hostnames), you can adjust delimiter: '.'

v6.0.0: Custom Prefix and Suffix Groups

Compare Source

This release reverts the prefix behavior added in v3 back to the behavior seen in v2. For the most part, path matching is backward compatible with v2 with these enhancements:

1. Support for nested non-capturing groups in regexp, e.g. /(abc(?=d))
2. Support for custom prefix and suffix groups using /{abc(.*)def}
3. Tokens in an unexpected position will throw an error
   • Paths like /test(foo previously worked treating ( as a literal character, now it expects ( to be closed and is treated as a group
   • You can escape the character for the previous behavior, e.g. /test\(foo

Changed

• Revert using any character as prefix, support prefixes option to configure this (starts as /. which acts like every version since 0.x again)
• Add support for {} to capture prefix/suffix explicitly, enables custom use-cases like /:attr1{-:attr2}?

v5.0.0: Remove Default Encode URI Component

Compare Source

No changes to path rules since 3.x, except support for nested RegEx parts in 4.x.

Changed

• Rename RegexpOptions interface to TokensToRegexpOptions
• Remove normalizePathname from library, document solution in README
• Encode using identity function as default, not encodeURIComponent

v4.0.5: Decode URI

Compare Source

Removed

• Remove whitelist in favor of decodeURI (advanced behavior can happen outside path-to-regexp)

v4.0.4: Remove String#normalize

Compare Source

Fixed

• Remove usage of String.prototype.normalize to continue supporting IE

v4.0.3: Normalize Path Whitelist

Compare Source

Added

• Add normalize whitelist of characters (defaults to /%.-)

v4.0.2: Allow RegexpOptions in match

Compare Source

Fixed

• Allow RegexpOptions in match(...) function

v4.0.1: Fix Spelling of Regexp

Compare Source

Fixed

• Normalize regexp spelling across 4.x

v4.0.0: ES2015 Package for Bundlers

Compare Source

All path rules are backward compatible with 3.x, except for nested () and other RegEx special characters that were previously ignored.

Changed

• Export names have changed to support ES2015 modules in bundlers
• match does not default to decodeURIComponent

Added

• New normalizePathname utility for supporting unicode paths in libraries
• Support nested non-capturing groups within parameters
• Add tree-shaking (via ES2015 modules) for webpack and other bundlers

v3.3.0: Add backtracking protection

Compare Source

Fixed

• Add backtrack protection to 3.x release (#​321) d31670a

v3.2.0: Match Function

Compare Source

Added

• Add native match function to library

v3.1.0: Validate and sensitive options

Compare Source

• Add sensitive option for tokensToFunction (#​191)
• Add validate option to path functions (#​178)

v3.0.0

Compare Source

• Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
• Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

v2.4.0

Compare Source

• Support start option to disable anchoring from beginning of the string

v2.3.0

Compare Source

• Use delimiter when processing repeated matching groups (e.g. foo/bar has no prefix, but has a delimiter)

v2.2.1

Compare Source

• Allow empty string with end: false to match both relative and absolute paths

v2.2.0

Compare Source

• Pass token as second argument to encode option (e.g. encode(value, token))

v2.1.0

Compare Source

• Handle non-ending paths where the final character is a delimiter
  • E.g. /foo/ before required either /foo/ or /foo// to match in non-ending mode

v2.0.0

Compare Source

• New option! Ability to set endsWith to match paths like /test?query=string up to the query string
• New option! Set delimiters for specific characters to be treated as parameter prefixes (e.g. /:test)
• Remove isarray dependency
• Explicitly handle trailing delimiters instead of trimming them (e.g. /test/ is now treated as /test/ instead of /test when matching)
• Remove overloaded keys argument that accepted options
• Remove keys list attached to the RegExp output
• Remove asterisk functionality (it's a real pain to properly encode)
• Change tokensToFunction (e.g. compile) to accept an encode function for pretty encoding (e.g. pass your own implementation)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[claude]

Code Review: Dependency Update — path-to-regexp 0.1.13 → 8.4.2

This is a security-driven dependency update scoped entirely to the docs/ package. The changes look correct and appropriate.

What's happening

The PR updates the resolutions override in docs/package.json from path-to-regexp@0.1.13 to 8.4.2. The resolutions field is a Yarn mechanism to force a specific version of a transitive dependency — meaning path-to-regexp is not used directly by the docs site, but by a transitive dependency (e.g., express used by the dev server). The override ensures the vulnerable version isn't pulled in transitively.

The yarn.lock correctly reflects this:

• path-to-regexp@~0.1.12 is still present (retained for other transitive dependencies that specify that range)
• path-to-regexp@8.4.2 is added as the new forced resolution

Security context

The jump to v8.4.0+ fixes two CVEs:

• CVE-2026-4926 / GHSA-j3q9-mxjg-w52f
• CVE-2026-4923 / GHSA-27v5-c462-wpq7

Both involve wildcard backtracking vulnerabilities in route matching — significant issues for any HTTP routing use.

Potential concern (low risk here)

The API between v0.x and v8.x of path-to-regexp changed significantly. However, since this is a resolutions override on a transitive dependency (not a direct usage), any direct API consumers in the dep tree would be relying on the old API. This could cause a runtime mismatch if the transitive dep (e.g., an older version of express's router) calls the v0.x API but gets the v8.x module.

That said, this is a docs site used only during local dev/build — the blast radius is minimal and this is the correct approach to eliminate the vulnerability from the dependency graph.

Verdict

Approved. This is a well-scoped security dependency update. The yarn.lock changes are consistent with the intent. Given the CVE severity and that this only affects the docs toolchain, the update is appropriate to merge.

[claude]

Approved. Security update for path-to-regexp (CVE-2026-4926, CVE-2026-4923), scoped to docs toolchain only. Changes are correct — yarn.lock is consistent with the resolutions override.

[claude]

Code Review: path-to-regexp v0.1.13 → v8.4.2

This is a Renovate-generated security update scoped entirely to the docs/ directory. The changes are correct and well-scoped.

What the PR does

Updates the resolutions override in docs/package.json to force path-to-regexp@8.4.2 for the express transitive dependency. This is the right approach — rather than pinning the package globally (which could break other transitive consumers on different semver ranges), the resolution is scoped as express/path-to-regexp, meaning Yarn only forces the newer version when express is the requester.

Security fix context

v8.4.0 addressed two CVEs:

• CVE-2026-4926 (GHSA-j3q9-mxjg-w52f) — wildcard backtracking allowing ReDoS
• CVE-2026-4923 (GHSA-27v5-c462-wpq7) — large optional route combinations causing regex explosion

These are ReDOS vulnerabilities with potentially serious impact in server environments. Even though this only affects the docs toolchain, eliminating the vulnerability from the dependency graph is the right call.

yarn.lock analysis

The lock file changes are consistent with the intent:

• path-to-regexp@~0.1.12 entry is retained (other transitive deps still request this range)
• path-to-regexp@3.3.0 entry is unchanged (unrelated dep)
• path-to-regexp@8.4.2 is added as the new resolved version for the express resolution

One minor observation: the old path-to-regexp@0.1.13 entry previously served double duty (matching both the bare 0.1.13 pin and ~0.1.12). After this change it only matches ~0.1.12. This is correct behavior since the 0.1.13 explicit pin was the old resolution override that's now been replaced.

API compatibility note

The v0.x → v8.x jump is a significant API overhaul, but since this is a resolutions override rather than a direct dependency, this only matters if a transitive dep calls path-to-regexp's public API directly. In the context of Docusaurus/express dev tooling for a docs site, the runtime risk is minimal.

Verdict

Approved. Clean, well-scoped security update. No concerns with the implementation.

[claude]

Code Review: chore(deps): update dependency path-to-regexp to v8

This is a Renovate Bot-generated dependency update for the docs/ directory, bumping path-to-regexp from 1.9.0 → 8.4.2 as a security resolution override.

Summary

The change is minimal and correct:

• docs/package.json: updates the resolutions entry for express/path-to-regexp from 1.9.0 to 8.4.2
• docs/yarn.lock: updated lock file entries accordingly, preserving the ^1.7.0 and ~0.1.12 entries untouched (they resolve to different version pins)

Security Significance

This update is specifically important — v8.4.0 fixes two CVEs:

• CVE-2026-4926 (GHSA-j3q9-mxjg-w52f)
• CVE-2026-4923 (GHSA-27v5-c462-wpq7)

Both are related to wildcard backtracking (ReDoS vectors). Updating to 8.4.2 patches these and also includes additional performance improvements (~20-25% parse/compile speedup) and a smaller bundle size.

Assessment

The scope is correctly limited to the docs/ subdirectory — this is a dev/docs tooling dependency, not part of the core TUnit .NET library. The yarn.lock correctly retains path-to-regexp@1.9.0 as a direct dependency resolution for packages that explicitly require ^1.7.0 (the resolution override only forces the express/path-to-regexp path to 8.4.2).

No concerns. This is a straightforward, well-scoped security dependency bump. Approved.