chore(deps): update dependency path-to-regexp to v8.4.0 - abandoned

[mend-on-mend]

This PR contains the following updates:

Package	Change	Age	Confidence
path-to-regexp	8.2.0 → 8.4.0

---

path-to-regexp vulnerable to Denial of Service via sequential optional groups

CVE-2026-4926 / GHSA-j3q9-mxjg-w52f

More information

Details

Impact

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches

Fixed in version 8.4.0.

Workarounds

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f
• https://nvd.nist.gov/vuln/detail/CVE-2026-4926
• https://cna.openjsf.org/security-advisories.html
• https://github.com/pillarjs/path-to-regexp

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

CVE-2026-4923 / GHSA-27v5-c462-wpq7

More information

Details

Impact

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches

Upgrade to version 8.4.0.

Workarounds

If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7
• https://nvd.nist.gov/vuln/detail/CVE-2026-4923
• https://cna.openjsf.org/security-advisories.html
• https://github.com/pillarjs/path-to-regexp
• https://makenowjust-labs.github.io/recheck/playground

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pillarjs/path-to-regexp (path-to-regexp)

v8.4.0: 8.4.0

Compare Source

Important

• Fix CVE-2026-4926 (GHSA-j3q9-mxjg-w52f)
• Fix CVE-2026-4923 (GHSA-27v5-c462-wpq7)

Fixed

• Restricts wildcard backtracking when using more than 1 in a path (#​421)

Changed

• Dedupes regex prefixes (#​422)
  • This will result in shorter regular expressions for some cases using optional groups
• Rejects large optional route combinations (#​424)
  • When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes

v8.3.0: 8.3.0

Compare Source

Changed

• Add custom error class (#​398) 2a7f2a4
• Allow plain objects for TokenData (#​391) 687a9bb
• Escape text should escape backslash (#​390) a4a8552
• Improved error messages and stack size (#​363) a6bdf40

Other

• Minifying the parser
  • PR (#​401) 9df2448
  • PR (#​395) 4a91505
  • Shaving some bytes d63f44b
  • Remove optional operator 973d15c

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

[mend-on-mend]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[mend-on-mend]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.