chore(security): add npm overrides for vulnerable dependencies

[omer-topal]

Summary by CodeRabbit

• Chores
  • Updated documentation dependencies and resolved dependency version conflicts.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The docs/package.json file is updated to bump the mintlify dependency from ^4.2.219 to ^4.2.269. Additionally, a new top-level "overrides" object is introduced to specify pinned versions for seven packages: axios, path-to-regexp, body-parser, qs, zod, express, and tar.

Changes

Cohort / File(s)	Summary
Dependency and Override Updates docs/package.json	Mintlify dependency bumped from ^4.2.219 to ^4.2.269; new "overrides" object added with pinned versions for 7 packages (axios, path-to-regexp, body-parser, qs, zod, express, tar) to enforce specific dependency versions

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hops through dependencies with glee,
Overrides set for harmony,
Versions locked in place so tight,
Mintlify's up—all feels right!
A little bump, a package dance,
To keep the docs' performance enhanced!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding npm overrides to address vulnerable dependencies in the docs/package.json file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.56%. Comparing base (d2e2b94) to head (0ebe1e3).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2730      +/-   ##
==========================================
+ Coverage   82.55%   82.56%   +0.02%     
==========================================
  Files          74       74              
  Lines        8125     8125              
==========================================
+ Hits         6707     6708       +1     
+ Misses        903      902       -1     
  Partials      515      515              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @docs/package.json:
- Around line 24-32: The overrides block sets axios to an outdated patch; update
the "overrides" entry for axios from "^1.12.0" to "^1.13.2" (or to the exact
patch "1.13.2" if you prefer pinned security-critical versions) so the
package.json uses the latest axios patch; locate the "overrides" object and
change the axios version string accordingly.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2e2b94 and 0ebe1e3.

⛔ Files ignored due to path filters (1)

• docs/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• docs/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Scan Container for Vulnerabilities
• GitHub Check: Test with Coverage
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

docs/package.json (1)

11-11: LGTM on mintlify version bump.

Updating to a newer mintlify version is appropriate alongside the security overrides.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Check if packages and versions exist on npm
echo "=== Checking package versions on npm ==="
npm search axios --json 2>/dev/null | jq -r '.[0] | "axios latest: \(.version)"' || echo "axios check completed"
npm search path-to-regexp --json 2>/dev/null | jq -r '.[0] | "path-to-regexp latest: \(.version)"' || echo "path-to-regexp check completed"

# Alternative: Use npm view directly
echo ""
echo "=== Checking versions via npm view ==="
npm view axios@1.12.0 version 2>/dev/null && echo "✓ axios@1.12.0 exists"
npm view path-to-regexp@0.1.12 version 2>/dev/null && echo "✓ path-to-regexp@0.1.12 exists"
npm view body-parser@1.20.3 version 2>/dev/null && echo "✓ body-parser@1.20.3 exists"
npm view qs@6.14.1 version 2>/dev/null && echo "✓ qs@6.14.1 exists"
npm view zod@3.22.3 version 2>/dev/null && echo "✓ zod@3.22.3 exists"
npm view express@4.19.2 version 2>/dev/null && echo "✓ express@4.19.2 exists"
npm view tar@6.2.1 version 2>/dev/null && echo "✓ tar@6.2.1 exists"

# Get latest versions for comparison
echo ""
echo "=== Latest versions ==="
npm view axios version 2>/dev/null | head -1
npm view path-to-regexp version 2>/dev/null | head -1
npm view body-parser version 2>/dev/null | head -1
npm view qs version 2>/dev/null | head -1
npm view zod version 2>/dev/null | head -1
npm view express version 2>/dev/null | head -1
npm view tar version 2>/dev/null | head -1

Repository: Permify/permify

Length of output: 469

---

🌐 Web query:

CVE-2024-45296 path-to-regexp ReDoS vulnerability security advisory

💡 Result:

Summary — CVE-2024-45296 (path-to-regexp): an inefficient-regular-expression (ReDoS) flaw that can block the Node.js event loop when path-to-regexp generates a backtracking-prone regex (typically when two parameters appear in the same segment separated by a non-dot character, e.g. /:a-:b). An attacker can trigger excessive backtracking with a long crafted path and cause Denial‑of‑Service. [1][2]

Affected versions (per public advisories)

• Many 0.x, 1.x, 2.x–7.x releases of path-to-regexp (ranges vary by source). Users commonly advised that 0.0.2–7.2.0 and other 0.1/0.2/2.x–7.x lines are impacted; consult your dependency tree. [2][3]

Mitigation / fix

• Upgrade path-to-regexp to a patched release (guidance: upgrade 0.1→0.1.10 for the 0.1 line; or upgrade to 8.0.0 which removes the dangerous behavior). If you cannot immediately upgrade, avoid route patterns with multiple params in one segment (e.g. /:a-:b) and validate/limit untrusted path input. [1][3][4]

References

• NVD summary for CVE-2024-45296. [1]
• Snyk / public vulnerability writeups summarizing affected versions and fixes. [3]
• Public advisories / vulnerability databases (examples: Rapid7 / Vuln trackers) describing the ReDoS details and upgrade guidance. [4]

If you want, I can: (a) check your project's package-lock / yarn.lock for path-to-regexp usages and show whether you’re vulnerable, or (b) fetch exact patched versions for a specific package version you have. Which would you like?

---

🌐 Web query:

npm security advisories path-to-regexp 0.1.12 regular expression denial of service

💡 Result:

Summary: path-to-regexp versions before 0.1.12 contain a Regular Expression Denial of Service (ReDoS) vulnerability (reported as CVE-2024-52798 / related to CVE-2024-45296). It can be triggered by generated regexes that allow catastrophic backtracking (e.g., two parameters in one segment like /:a-:b or certain user-supplied patterns). The issue is fixed in 0.1.12 — upgrade or constrain parameter regexes. [1][2][3]

Action:

• Upgrade: npm install path-to-regexp@0.1.12 (or a later non‑vulnerable release). [1][4]
• Workarounds: avoid two params in a single segment with a non-dot separator (e.g. don’t use /:a-:b) or explicitly provide non‑overlapping regexes for parameters. [1][3]

References:

• GitHub advisory (patched in 0.1.12). [1]
• pillarjs security advisory (details, affected versions, mitigation). [2]
• CVE / writeups summarizing exploitation and examples. [3]
• Snyk advisory (remediation guidance). [4]

---

Security overrides approach is sound; however, axios should be bumped to the latest patch.

All specified override versions exist and are appropriate. Notably, path-to-regexp@0.1.12 correctly addresses CVE-2024-45296 (the ReDoS vulnerability). The 0.1.x line is intentional for express 4.x compatibility and avoids the breaking changes in path-to-regexp 8.x.

However, axios@1.12.0 is outdated—the latest patch is 1.13.2. Update to "axios": "^1.13.2" to include the most recent security and bug fixes. The other versions (qs@6.14.1 is already at latest; body-parser, express, tar, and zod are intentionally held at older majors for compatibility) are acceptable.

Consider replacing caret ranges with exact versions in security-critical overrides (e.g., 1.13.2 instead of ^1.13.2) for maximum control, though the current approach still enforces minimum patched versions.

🤖 Prompt for AI Agents

In @docs/package.json around lines 24 - 32, The overrides block sets axios to an
outdated patch; update the "overrides" entry for axios from "^1.12.0" to
"^1.13.2" (or to the exact patch "1.13.2" if you prefer pinned security-critical
versions) so the package.json uses the latest axios patch; locate the
"overrides" object and change the axios version string accordingly.