Conversation
🦋 Changeset detectedLatest commit: 57e0373 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Size Change: -182 B (-0.23%) Total Size: 80.4 kB
ℹ️ View Unchanged
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
…' in URLs When a user passes undefined for an optional path parameter, String(urlParams[k]) converted it to the literal string 'undefined', which was then interpolated into the URL (e.g., /users/undefined). Now undefined values are skipped when building pathParams, allowing path-to-regexp's compile() to correctly omit optional segments. Co-authored-by: Nathaniel Tucker <me@ntucker.me>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3757 +/- ##
=======================================
Coverage 98.05% 98.05%
=======================================
Files 151 151
Lines 2821 2831 +10
Branches 553 554 +1
=======================================
+ Hits 2766 2776 +10
Misses 11 11
Partials 44 44 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
2 participants
Motivation
path-to-regexp v6 is vulnerable to ReDoS when routes use two or more parameters between slashes. v8 removes regex features entirely to eliminate this class of vulnerability. The v8 syntax is also the finalized syntax for Express.js v5.
Solution
Upgrade
path-to-regexpfrom v6 to v8 in@data-client/rest, updating runtime code, TypeScript path-inference types, docs, and blog.Runtime (
RestHelpers.ts):compile()andparse()calls for the v8 APItokenMap()to handle v8's structured token tree (includinggrouptokens for{...}optional syntax)Types (
pathTypes.ts):PathKeys/PathSplits: Handle*namewildcards alongside:nameparams, with v8-appropriate delimiter and escape setsCleanKeytype to strip quotes from quoted parameter names (:"with-dash"→with-dash)?suffix handling; optionality now detected via trailing}from{...}groupsTests:
pathTypes.test.tswith 50+ direct type-level assertions covering all v8 patternstypes.test.tsto v8Docs & blog:
<SkillTabs>for AI-assisted migrationpath-to-regexp-v8-migrationAI skill for automated path migrationMade with Cursor
Note
Medium Risk
This is a breaking change to
RestEndpoint.path/Resource.pathparsing and URL generation, so incorrect migrations could produce mismatched URLs/keys at runtime. The upgrade is mitigated by updated docs/examples plus new runtime and type-level tests, but it impacts a core REST API surface.Overview
Upgrades
@data-client/restfrompath-to-regexpv6→v8 (breaking path syntax change), updating runtime compilation/token parsing (RestHelpers.ts) andpathRegexhandling.Fixes URL generation to omit optional path segments when the corresponding param is
undefined, preventing literal"undefined"in generated URLs, and adds regression tests for this behavior.Updates TypeScript path inference (
pathTypes.ts) for v8 features like{}optionals,*namewildcards, quoted parameter names, and new escaping rules, with a newtypescript-tests/pathTypes.test.tssuite and broad test/example/doc migrations to the new syntax. Also adjusts docs/blog andSkillTabsusage, and adds apath-to-regexp-v8-migrationskill plus changesets for the minor/patch releases.Written by Cursor Bugbot for commit 57e0373. This will update automatically on new commits. Configure here.