[fix] `npm audit` reporting high severity vulnerability with `@koa/router` 13.0.0

[cduff]

Steps to reproduce

$ npm i @koa/router

added 9 packages in 429ms

$ npm audit
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
node_modules/path-to-regexp
  @koa/router  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/@koa/router

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Solution

Fix by upgrading @koa/router to depend on later version of path-to-regexp?

[ManojKeer]

Facing the same issue since yesterday. koa-router(12.0.1) is using path-to-regexp of version 6.2.1. I am getting build errors to upgrade the path-to-regexp to latest. How to fix this issue? Will koa-router publish a latest version with patched path-to-regexp version?

[iambumblehead]

➕

[iambumblehead]

related pillarjs/path-to-regexp#324

[iambumblehead]

locally incrementing to 6.3.0 does not satisfy the warning

path-to-regexp  4.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install path-to-regexp@8.1.0, which is a breaking change
node_modules/path-to-regexp

[mschfh]

locally incrementing to 6.3.0 does not satisfy the warning

The advisory wasn't updated yet to include the 6.x patched version: GHSA-9wv6-86v2-598j

[moez-qlik]

Leaving this bug unfixed could potentially break our projects that rely on Koa Router.
#185

[panva]

Leaving this bug unfixed could potentially break our projects that rely on Koa Router. #185

That's unrelated to the path-to-regexp CVE. path-to-regexp 6.3.0 was released with the fix backport. Meaning that the router is no longer vulnerable. The advisory has not been updated yet to reflect the fixed version.