Releases: pillarjs/path-to-regexp
Releases · pillarjs/path-to-regexp
Release list
Support array inputs (again)
Add backtracking protection
Fix backtracking in 1.x
Simpler API
Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.
Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/
Added
- Adds key names to wildcards using
*namesyntax, aligns with:behavior but using an asterisk instead
Changed
- Removes group suffixes of
?,+, and*- only optional exists moving forward (use wildcards for+,{*foo}for*) - Parameter names follow JS identifier rules and allow unicode characters
Added
- Parameter names can now be quoted, e.g.
:"foo-bar" - Match accepts an array of values, so the signature is now
string | TokenData | Array<string | TokenData>
Removed
- Removes
loosemode - Removes regular expression overrides of parameters
Backtrack protection
Fixed
- Add backtrack protection to parameters 29b96b4
- This will break some edge cases but should improve performance
Support non-lookahead regex output
Strict mode
Added
- Adds a
strictoption to detect potential ReDOS issues
Fixed
- Fixes separator to default to
suffix + prefixwhen not specified - Allows separator to be undefined in
TokenData- This is only relevant if you are building
TokenDatamanually, previouslyparsefilled it in automatically
- This is only relevant if you are building
Comments
- I highly recommend enabling
strict: trueand I'm probably releasing a V8 with it enabled by default ASAP as a necessary security mitigation
Wildcard, unicode, and modifier changes
Hi all! There's a few major breaking changes in this release so read carefully.
Breaking changes:
- The function returned by
compileonly accepts strings as values (i.e. no numbers, useString(value)before compiling a path)- For repeated values, when
encode !== false, it must be an array of strings
- For repeated values, when
- Parameter names can contain all unicode identifier characters (defined as regex
\p{XID_Continue}). - Modifiers (
?,*,+) must be used after a param explicitly wrapped in{}- No more implied prefix of
/or.
- No more implied prefix of
- No support for arrays or regexes as inputs
- The wildcard (standalone
*) has been added back and matches Express.js expected behavior - Removed
endsWithoption - Renamed
strict: truetotrailing: false - Reserved
;,,,!, and@for future use-cases - Removed
tokensToRegexp,tokensToFunctionandregexpToFunctionin favor of simplifying exports - Enable a "loose" mode by default, so
/can be repeated multiple times in a matched path (i.e./fooworks like//foo, etc) encodeanddecodeno longer receive the token as the second parameter- Removed the ESM + CommonJS dual package in favor of only one CommonJS supported export
- Minimum JS support for ES2020 (previous ES2015)
- Encode defaults to
encodeURIComponentand decode defaults todecodeURIComponent
Added:
- Adds
encodePathto fix an issue aroundencodebeing used for both path and parameters (the path and parameter should be encoded slightly differently) - Adds
looseas an option to support arbitrarily matching the delimiter in paths, e.g.foo/barandfoo///barshould work the same - Allow
encodeanddecodeto be set tofalsewhich skips all processing of the parameters input/output - All remaining methods support
TokenData(exported, returned byparse) as input- This should be useful if you are programmatically building paths to match or want to avoid parsing multiple times
Requests for feedback:
- Requiring
{}is an obvious drawback but I'm seeking feedback on whether it helps make path behavior clearer- Related: Removing
/and.as implicit prefixes
- Related: Removing
- Removing array and regex support is to reduce the overall package size for things many users don't need
- Unicode IDs are added to align more closely with browser URLPattern behavior, which uses JS identifiers
Updated README
No API changes. Documentation only release.
Changed