From dbea8beedaf6b61f02ba1134f56b13331b3eaaa2 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Thu, 26 Feb 2026 14:09:15 +0100
Subject: [PATCH] chore(deps): bump path-to-regexp to 0.1.12

Adds a parent-scoped yarn resolution to force express@4.19.2's
path-to-regexp dependency from 0.1.7 to 0.1.12, patching
ReDoS vulnerability (affected range: < 0.1.12).
The 7.x consumers are unaffected.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package.json | 1 +
 yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/package.json b/package.json
index bd69d55849..1eda125414 100644
--- a/package.json
+++ b/package.json
@@ -60,6 +60,7 @@
   ],
   "resolutions": {
     "appium-chromedriver@npm:5.6.73/@xmldom/xmldom": "0.8.10",
+    "express@npm:4.19.2/path-to-regexp": "0.1.12",
     "fast-xml-parser": "^5.3.6",
     "form-data": "4.0.4",
     "qs": "^6.14.2",
diff --git a/yarn.lock b/yarn.lock
index d9063b15cf..765a320e04 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -28302,10 +28302,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"path-to-regexp@npm:0.1.7":
-  version: 0.1.7
-  resolution: "path-to-regexp@npm:0.1.7"
-  checksum: 69a14ea24db543e8b0f4353305c5eac6907917031340e5a8b37df688e52accd09e3cebfe1660b70d76b6bd89152f52183f28c74813dbf454ba1a01c82a38abce
+"path-to-regexp@npm:0.1.12":
+  version: 0.1.12
+  resolution: "path-to-regexp@npm:0.1.12"
+  checksum: ab237858bee7b25ecd885189f175ab5b5161e7b712b360d44f5c4516b8d271da3e4bf7bf0a7b9153ecb04c7d90ce8ff5158614e1208819cf62bac2b08452722e
   languageName: node
   linkType: hard