chore(deps): update dependency path-to-regexp to v8.4.0 [security]

[backstage-goalie]

This PR contains the following updates:

Package	Change	Age	Confidence
path-to-regexp	8.3.0 → 8.4.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

CVE-2026-4923 / GHSA-27v5-c462-wpq7

More information

Details

Impact

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y

Safe examples:

/*foo-:bar
/*foo-:bar-*baz

Patches

Upgrade to version 8.4.0.

Workarounds

If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7
• https://nvd.nist.gov/vuln/detail/CVE-2026-4923
• https://cna.openjsf.org/security-advisories.html
• https://github.com/pillarjs/path-to-regexp
• https://makenowjust-labs.github.io/recheck/playground

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

path-to-regexp vulnerable to Denial of Service via sequential optional groups

CVE-2026-4926 / GHSA-j3q9-mxjg-w52f

More information

Details

Impact

A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.

Patches

Fixed in version 8.4.0.

Workarounds

Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f
• https://nvd.nist.gov/vuln/detail/CVE-2026-4926
• https://cna.openjsf.org/security-advisories.html
• https://github.com/pillarjs/path-to-regexp

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pillarjs/path-to-regexp (path-to-regexp)

v8.4.0: 8.4.0

Compare Source

Important

• Fix CVE-2026-4926 (GHSA-j3q9-mxjg-w52f)
• Fix CVE-2026-4923 (GHSA-27v5-c462-wpq7)

Fixed

• Restricts wildcard backtracking when using more than 1 in a path (#​421)

Changed

• Dedupes regex prefixes (#​422)
  • This will result in shorter regular expressions for some cases using optional groups
• Rejects large optional route combinations (#​424)
  • When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.