chore(deps): update dependency path-to-regexp to v8 - autoclosed (!875) · Merge requests · FIT-Connect / Dokumentation

This MR contains the following updates:

Package	Type	Update	Change
path-to-regexp	resolutions	major	`^0.2.0` -> `^8.0.0`

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

pillarjs/path-to-regexp (path-to-regexp)

`v8.2.0`: 8.2.0

Compare Source

Fixed

Allowing path-to-regexp to run on older browsers by targeting ES2015
- Target ES2015 5969033
  - Also saved 0.22kb (10%!) by removing the private class field down level
- Remove s flag from regexp 51dbd45

`v8.1.0`

Compare Source

Added

Adds pathToRegexp method back for generating a regex
Adds stringify method for converting TokenData into a path string

`v8.0.0`: Simpler API

Compare Source

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
Parameter names follow JS identifier rules and allow unicode characters

Added

Parameter names can now be quoted, e.g. :"foo-bar"
Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

Removes loose mode
Removes regular expression overrides of parameters

`v7.2.0`: Support array inputs (again)

Compare Source

Added

Support array inputs for match and pathToRegexp 3fdd88f

`v7.1.0`: Strict mode

Compare Source

Added

Adds a strict option to detect potential ReDOS issues

Fixed

Fixes separator to default to suffix + prefix when not specified
Allows separator to be undefined in TokenData
- This is only relevant if you are building TokenData manually, previously parse filled it in automatically

Comments

I highly recommend enabling strict: true and I'm probably releasing a V8 with it enabled by default ASAP as a necessary security mitigation

`v7.0.0`: Wildcard, unicode, and modifier changes

Compare Source

Hi all! There's a few major breaking changes in this release so read carefully.

Breaking changes:

The function returned by compile only accepts strings as values (i.e. no numbers, use String(value) before compiling a path)
- For repeated values, when encode !== false, it must be an array of strings
Parameter names can contain all unicode identifier characters (defined as regex \p{XID_Continue}).
Modifiers (?, *, +) must be used after a param explicitly wrapped in {}
- No more implied prefix of / or .
No support for arrays or regexes as inputs
The wildcard (standalone *) has been added back and matches Express.js expected behavior
Removed endsWith option
Renamed strict: true to trailing: false
Reserved ;, ,, !, and @ for future use-cases
Removed tokensToRegexp, tokensToFunction and regexpToFunction in favor of simplifying exports
Enable a "loose" mode by default, so / can be repeated multiple times in a matched path (i.e. /foo works like //foo, etc)
encode and decode no longer receive the token as the second parameter
Removed the ESM + CommonJS dual package in favor of only one CommonJS supported export
Minimum JS support for ES2020 (previous ES2015)
Encode defaults to encodeURIComponent and decode defaults to decodeURIComponent

Added:

Adds encodePath to fix an issue around encode being used for both path and parameters (the path and parameter should be encoded slightly differently)
Adds loose as an option to support arbitrarily matching the delimiter in paths, e.g. foo/bar and foo///bar should work the same
Allow encode and decode to be set to false which skips all processing of the parameters input/output
All remaining methods support TokenData (exported, returned by parse) as input
- This should be useful if you are programmatically building paths to match or want to avoid parsing multiple times

Requests for feedback:

Requiring {} is an obvious drawback but I'm seeking feedback on whether it helps make path behavior clearer
- Related: Removing / and . as implicit prefixes
Removing array and regex support is to reduce the overall package size for things many users don't need
Unicode IDs are added to align more closely with browser URLPattern behavior, which uses JS identifiers

`v6.3.0`: Fix backtracking in 6.x

Compare Source

Fixed

Add backtrack protection to 6.x (#324) f1253b4

`v6.2.2`: Updated README

Compare Source

No API changes. Documentation only release.

Changed

Fix readme example c7ec332
Update shield URL e828000

`v6.2.1`: Fix matching `:name*` parameter

Compare Source

Fixed

Fix invalid matching of :name* parameter (#261) 762bc6b
Compare delimiter string over regexp 86baef8

Added

New example in documentation (#256) ae9e576
Update demo link (#250) 77df638
Update README encode example b39edd4

`v6.2.0`: Named Capturing Groups

Compare Source

Added

Support named capturing groups for RegExps (#225)

Fixed

Update strict flag documentation (#227)
Ignore test files when bundling (#220)

`v6.1.0`: Use `/#?` as Default Delimiter

Compare Source

Fixed

Use /#? as default delimiter to avoid matching on query or fragment parameters
- If you are matching non-paths (e.g. hostnames), you can adjust delimiter: '.'

`v6.0.0`: Custom Prefix and Suffix Groups

Compare Source

This release reverts the prefix behavior added in v3 back to the behavior seen in v2. For the most part, path matching is backward compatible with v2 with these enhancements:

Support for nested non-capturing groups in regexp, e.g. /(abc(?=d))
Support for custom prefix and suffix groups using /{abc(.*)def}
Tokens in an unexpected position will throw an error
- Paths like /test(foo previously worked treating ( as a literal character, now it expects ( to be closed and is treated as a group
- You can escape the character for the previous behavior, e.g. /test\(foo

Changed

Revert using any character as prefix, support prefixes option to configure this (starts as /. which acts like every version since 0.x again)
Add support for {} to capture prefix/suffix explicitly, enables custom use-cases like /:attr1{-:attr2}?

`v5.0.0`: Remove Default Encode URI Component

Compare Source

No changes to path rules since 3.x, except support for nested RegEx parts in 4.x.

Changed

Rename RegexpOptions interface to TokensToRegexpOptions
Remove normalizePathname from library, document solution in README
Encode using identity function as default, not encodeURIComponent

`v4.0.5`: Decode URI

Compare Source

Removed

Remove whitelist in favor of decodeURI (advanced behavior can happen outside path-to-regexp)

`v4.0.4`: Remove `String#normalize`

Compare Source

Fixed

Remove usage of String.prototype.normalize to continue supporting IE

`v4.0.3`: Normalize Path Whitelist

Compare Source

Added

Add normalize whitelist of characters (defaults to /%.-)

`v4.0.2`: Allow `RegexpOptions` in `match`

Compare Source

Fixed

Allow RegexpOptions in match(...) function

`v4.0.1`: Fix Spelling of Regexp

Compare Source

Fixed

Normalize regexp spelling across 4.x

`v4.0.0`: ES2015 Package for Bundlers

Compare Source

All path rules are backward compatible with 3.x, except for nested () and other RegEx special characters that were previously ignored.

Changed

Export names have changed to support ES2015 modules in bundlers
match does not default to decodeURIComponent

Added

New normalizePathname utility for supporting unicode paths in libraries
Support nested non-capturing groups within parameters
Add tree-shaking (via ES2015 modules) for webpack and other bundlers

`v3.3.0`: Add backtracking protection

Compare Source

Fixed

Add backtrack protection to 3.x release (#321) d31670a

`v3.2.0`: Match Function

Compare Source

Added

Add native match function to library

`v3.1.0`: Validate and sensitive options

Compare Source

Add sensitive option for tokensToFunction (#191)
Add validate option to path functions (#178)

`v3.0.0`

Compare Source

Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

`v2.4.0`

Compare Source

Support start option to disable anchoring from beginning of the string

`v2.3.0`

Compare Source

Use delimiter when processing repeated matching groups (e.g. foo/bar has no prefix, but has a delimiter)

`v2.2.1`

Compare Source

Allow empty string with end: false to match both relative and absolute paths

`v2.2.0`

Compare Source

Pass token as second argument to encode option (e.g. encode(value, token))

`v2.1.0`

Compare Source

Handle non-ending paths where the final character is a delimiter
- E.g. /foo/ before required either /foo/ or /foo// to match in non-ending mode

`v2.0.0`

Compare Source

New option! Ability to set endsWith to match paths like /test?query=string up to the query string
New option! Set delimiters for specific characters to be treated as parameter prefixes (e.g. /:test)
Remove isarray dependency
Explicitly handle trailing delimiters instead of trimming them (e.g. /test/ is now treated as /test/ instead of /test when matching)
Remove overloaded keys argument that accepted options
Remove keys list attached to the RegExp output
Remove asterisk functionality (it's a real pain to properly encode)
Change tokensToFunction (e.g. compile) to accept an encode function for pretty encoding (e.g. pass your own implementation)

`v1.9.0`: Fix backtracking in 1.x

Compare Source

Fixed

Add backtrack protection to 1.x release (#320) 925ac8e
Fix re.exec(&#39;/test/route&#39;) result (#267) 32a14b0

`v1.8.0`: Backport token to function options

Compare Source

Added

Backport TokensToFunctionOptions

`v1.7.0`

Compare Source

Allow a delimiter option to be passed in with tokensToRegExp which will be used for "non-ending" token match situations

`v1.6.0`

Compare Source

Populate RegExp.keys when using the tokensToRegExp method (making it consistent with the main export)
Allow a delimiter option to be passed in with parse
Updated TypeScript definition with Keys and Options updated

`v1.5.3`

Compare Source

Add \\ to the ignore character group to avoid backtracking on mismatched parens

`v1.5.2`

Compare Source

Escape \\ in string segments of regexp

`v1.5.1`

Compare Source

Add index.d.ts to NPM package

`v1.5.0`

Compare Source

Handle partial token segments (better)
Allow compile to handle asterisk token segments

`v1.4.0`

Compare Source

Handle RegExp unions in path matching groups

`v1.3.0`

Compare Source

Clarify README language and named parameter token support
Support advanced Closure Compiler with type annotations
Add pretty paths options to compiled function output
Add TypeScript definition to project
Improved prefix handling with non-complete segment parameters (E.g. /:foo?-bar)