Skip to content

chore(deps): bump path-to-regexp to 0.1.12#5706

Open
antonis wants to merge 1 commit intomainfrom
antonis/bump-path-to-regexp
Open

chore(deps): bump path-to-regexp to 0.1.12#5706
antonis wants to merge 1 commit intomainfrom
antonis/bump-path-to-regexp

Conversation

@antonis
Copy link
Contributor

@antonis antonis commented Feb 24, 2026

Summary

  • Adds a parent-scoped resolutions entry to force express@4.19.2's path-to-regexp dependency from 0.1.7 to 0.1.12
  • Fixes ReDoS vulnerability (affected range: < 0.1.12)
  • Uses a scoped resolution to avoid touching the unaffected 7.1.0 consumer

Dependabot alerts

Test plan

  • yarn install resolves express's path-to-regexp to 0.1.12
  • yarn build passes
  • yarn test passes

🤖 Generated with Claude Code

@antonis antonis added the ready-to-merge Triggers the full CI test suite label Feb 24, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

Semver Impact of This PR

None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

  • chore(deps): bump path-to-regexp to 0.1.12 by antonis in #5706
  • ci: Cancel in-progress CI jobs when a PR is closed or merged by antonis in #5725

🤖 This preview updates automatically when you update the PR.

@antonis antonis mentioned this pull request Feb 24, 2026
Open
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

iOS (legacy) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 1224.51 ms 1214.09 ms -10.43 ms
Size 3.38 MiB 4.78 MiB 1.40 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
ea3e26e+dirty 1229.13 ms 1228.46 ms -0.67 ms
80e4616+dirty 1221.32 ms 1225.64 ms 4.32 ms
818a608+dirty 1205.76 ms 1208.00 ms 2.24 ms
77061ed+dirty 1233.16 ms 1234.88 ms 1.71 ms
bef3709+dirty 1222.07 ms 1220.24 ms -1.83 ms
a206511+dirty 1185.00 ms 1186.35 ms 1.35 ms
74979ac+dirty 1210.49 ms 1213.31 ms 2.82 ms
a2bb688+dirty 1223.53 ms 1232.90 ms 9.37 ms
8a868fe+dirty 1221.50 ms 1230.78 ms 9.28 ms
d590428+dirty 1211.77 ms 1220.51 ms 8.75 ms

App size

Revision Plain With Sentry Diff
ea3e26e+dirty 3.41 MiB 4.58 MiB 1.17 MiB
80e4616+dirty 3.38 MiB 4.60 MiB 1.22 MiB
818a608+dirty 2.63 MiB 3.91 MiB 1.28 MiB
77061ed+dirty 2.63 MiB 3.98 MiB 1.34 MiB
bef3709+dirty 3.38 MiB 4.78 MiB 1.40 MiB
a206511+dirty 3.41 MiB 4.67 MiB 1.25 MiB
74979ac+dirty 3.38 MiB 4.60 MiB 1.22 MiB
a2bb688+dirty 2.63 MiB 3.99 MiB 1.36 MiB
8a868fe+dirty 3.38 MiB 4.60 MiB 1.22 MiB
d590428+dirty 3.38 MiB 4.78 MiB 1.39 MiB

Previous results on branch: antonis/bump-path-to-regexp

Startup times

Revision Plain With Sentry Diff
d21e06e+dirty 1209.00 ms 1211.06 ms 2.06 ms

App size

Revision Plain With Sentry Diff
d21e06e+dirty 3.38 MiB 4.78 MiB 1.40 MiB

@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

Android (legacy) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 412.69 ms 469.18 ms 56.49 ms
Size 43.75 MiB 48.46 MiB 4.71 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
c7f264b 434.98 ms 452.96 ms 17.98 ms
9f211e3 451.50 ms 500.00 ms 48.50 ms
9ced351+dirty 405.40 ms 419.39 ms 13.98 ms
f70acbf+dirty 373.39 ms 382.81 ms 9.43 ms
f234eb4+dirty 407.62 ms 429.64 ms 22.02 ms
2adbd1e+dirty 433.98 ms 427.96 ms -6.02 ms
7886639+dirty 425.10 ms 477.73 ms 52.63 ms
a206511+dirty 424.28 ms 474.82 ms 50.54 ms
98f632c 424.25 ms 435.48 ms 11.23 ms
46da307 455.92 ms 443.79 ms -12.13 ms

App size

Revision Plain With Sentry Diff
c7f264b 17.75 MiB 19.68 MiB 1.94 MiB
9f211e3 17.75 MiB 19.68 MiB 1.94 MiB
9ced351+dirty 43.75 MiB 48.41 MiB 4.66 MiB
f70acbf+dirty 17.75 MiB 19.68 MiB 1.94 MiB
f234eb4+dirty 17.75 MiB 19.74 MiB 1.99 MiB
2adbd1e+dirty 17.75 MiB 19.70 MiB 1.96 MiB
7886639+dirty 43.75 MiB 48.42 MiB 4.67 MiB
a206511+dirty 43.75 MiB 48.07 MiB 4.32 MiB
98f632c 17.75 MiB 20.15 MiB 2.41 MiB
46da307 17.75 MiB 19.68 MiB 1.93 MiB

Previous results on branch: antonis/bump-path-to-regexp

Startup times

Revision Plain With Sentry Diff
d21e06e+dirty 410.66 ms 438.76 ms 28.10 ms

App size

Revision Plain With Sentry Diff
d21e06e+dirty 43.75 MiB 48.46 MiB 4.71 MiB

@antonis antonis marked this pull request as ready for review February 24, 2026 12:20
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

Android (new) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 423.08 ms 471.26 ms 48.18 ms
Size 43.94 MiB 49.33 MiB 5.39 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
664c66f+dirty 376.23 ms 389.51 ms 13.28 ms
d73150f+dirty 424.60 ms 454.35 ms 29.75 ms
4a17c8f+dirty 368.54 ms 381.43 ms 12.89 ms
b3b5b0d+dirty 361.42 ms 403.90 ms 42.48 ms
9ced351+dirty 361.74 ms 411.45 ms 49.70 ms
7886639+dirty 530.30 ms 571.34 ms 41.04 ms
c08359e+dirty 406.04 ms 428.87 ms 22.83 ms
3099014+dirty 344.58 ms 404.21 ms 59.63 ms
d751a5d+dirty 341.61 ms 403.06 ms 61.45 ms
682f0f5+dirty 402.33 ms 440.61 ms 38.28 ms

App size

Revision Plain With Sentry Diff
664c66f+dirty 43.94 MiB 49.38 MiB 5.44 MiB
d73150f+dirty 43.94 MiB 49.38 MiB 5.44 MiB
4a17c8f+dirty 43.94 MiB 48.82 MiB 4.88 MiB
b3b5b0d+dirty 7.15 MiB 8.41 MiB 1.26 MiB
9ced351+dirty 43.94 MiB 49.27 MiB 5.33 MiB
7886639+dirty 43.94 MiB 49.28 MiB 5.34 MiB
c08359e+dirty 7.15 MiB 8.42 MiB 1.27 MiB
3099014+dirty 7.15 MiB 8.43 MiB 1.27 MiB
d751a5d+dirty 7.15 MiB 8.41 MiB 1.26 MiB
682f0f5+dirty 43.94 MiB 48.91 MiB 4.97 MiB

Previous results on branch: antonis/bump-path-to-regexp

Startup times

Revision Plain With Sentry Diff
d21e06e+dirty 362.31 ms 404.80 ms 42.49 ms

App size

Revision Plain With Sentry Diff
d21e06e+dirty 43.94 MiB 49.33 MiB 5.39 MiB

@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

iOS (new) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 1222.15 ms 1219.43 ms -2.72 ms
Size 3.38 MiB 4.78 MiB 1.40 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
ea3e26e+dirty 1216.61 ms 1214.15 ms -2.47 ms
80e4616+dirty 1206.90 ms 1205.94 ms -0.96 ms
818a608+dirty 1218.84 ms 1223.18 ms 4.34 ms
77061ed+dirty 1210.77 ms 1218.45 ms 7.68 ms
bef3709+dirty 1217.79 ms 1225.33 ms 7.54 ms
a206511+dirty 1225.02 ms 1223.74 ms -1.28 ms
74979ac+dirty 1212.33 ms 1212.54 ms 0.21 ms
a2bb688+dirty 1244.82 ms 1238.60 ms -6.22 ms
8a868fe+dirty 1206.85 ms 1215.04 ms 8.19 ms
d590428+dirty 1221.23 ms 1225.27 ms 4.03 ms

App size

Revision Plain With Sentry Diff
ea3e26e+dirty 3.41 MiB 4.58 MiB 1.17 MiB
80e4616+dirty 3.38 MiB 4.60 MiB 1.22 MiB
818a608+dirty 3.19 MiB 4.48 MiB 1.29 MiB
77061ed+dirty 3.19 MiB 4.54 MiB 1.36 MiB
bef3709+dirty 3.38 MiB 4.78 MiB 1.40 MiB
a206511+dirty 3.41 MiB 4.67 MiB 1.25 MiB
74979ac+dirty 3.38 MiB 4.60 MiB 1.22 MiB
a2bb688+dirty 3.19 MiB 4.56 MiB 1.37 MiB
8a868fe+dirty 3.38 MiB 4.60 MiB 1.22 MiB
d590428+dirty 3.38 MiB 4.78 MiB 1.39 MiB

Previous results on branch: antonis/bump-path-to-regexp

Startup times

Revision Plain With Sentry Diff
d21e06e+dirty 1209.59 ms 1216.79 ms 7.20 ms

App size

Revision Plain With Sentry Diff
d21e06e+dirty 3.38 MiB 4.78 MiB 1.40 MiB

@antonis antonis removed the ready-to-merge Triggers the full CI test suite label Feb 26, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026
edited
Loading

Fails
🚫 Pull request is not ready for merge, please add the "ready-to-merge" label to the pull request

Generated by 🚫 dangerJS against dbea8be

@antonis @claude
chore(deps): bump path-to-regexp to 0.1.12
dbea8be 
Adds a parent-scoped yarn resolution to force express@4.19.2's
path-to-regexp dependency from 0.1.7 to 0.1.12, patching
ReDoS vulnerability (affected range: < 0.1.12).
The 7.x consumers are unaffected.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@antonis antonis force-pushed the antonis/bump-path-to-regexp branch from 9098b71 to dbea8be Compare February 26, 2026 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alwx alwx Awaiting requested review from alwx alwx is a code owner

@lucas-zimerman lucas-zimerman Awaiting requested review from lucas-zimerman lucas-zimerman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@antonis