Skip to content

package-lock.json pins swiper 12.0.3 and path-to-regexp 6.2.1 (both have advisories; ranges already permit the fixes) #4398

Description

@kobihikri

Summary

The committed package-lock.json pins two dependencies to versions that have published advisories. Flagging as a hygiene heads-up — I want to be upfront that the practical impact is low (details below), but the lockfile currently ships them.

Dependency Locked Advisory Fixed in
swiper 12.0.3 GHSA-hmx5-qpq5-p643 (prototype pollution) 12.1.2
path-to-regexp 6.2.1 GHSA-9wv6-86v2-598j (ReDoS) 6.3.0

The honest caveat

The declared ranges (swiper: ^12.0.3, path-to-regexp: ^6.2.0) already permit the fixed versions — a fresh npm install resolves to patched releases, so downstream consumers installing today aren't forced onto the vulnerable versions. The gap is only that this repo's committed lockfile still pins the old versions, so the project's own npm ci / CI runs against them, and anyone reinstalling from the committed lock stays on them.

Suggested fix

npm update swiper path-to-regexp (and refresh package-lock.json), or bump the floors to ^12.1.2 / ^6.3.0. There's no Dependabot config in the repo, which is probably why the lock drifted. I checked open + closed issues and didn't find an existing report.


Disclosure: found with AI assistance; I verified the locked versions and both advisories against OSV myself.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions