chore(deps): update dependency express>path-to-regexp to ^0.2.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
express>path-to-regexp	^0.1.13 → ^0.2.0

---

Release Notes

pillarjs/path-to-regexp (express>path-to-regexp)

v0.2.5

Compare Source

• Allow keys parameter to be omitted

v0.2.4

Compare Source

• Code coverage badge
• Updated readme
• Attach keys to the generated regexp

v0.2.3

Compare Source

• Add MIT license

v0.2.2

Compare Source

• A passed in trailing slash in non-strict mode will become optional
• In non-end mode, the optional trailing slash will only match at the end

v0.2.1

Compare Source

• Fixed a major capturing group regexp regression

v0.2.0

Compare Source

• Improved support for arrays
• Improved support for regexps
• Better support for non-ending strict mode matches with a trailing slash
• Travis CI support
• Block using regexp special characters in the path
• Removed support for the asterisk to match all
• New support for parameter suffixes - *, + and ?
• Updated readme
• Provide delimiter information with keys array

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Summary by cubic

Update the override to express>path-to-regexp from ^0.1.13 to ^0.2.0 to pick up bug fixes and improved route param matching. This only affects Express’s internal route matching; no app code changes.

• Dependencies

  • Bumped express>path-to-regexp to ^0.2.0.

• Migration

  • If any routes use bare wildcards like /*, replace with /:rest* or /(.*).

^{Written for commit aa16919. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-email	Ready	Preview, Comment	Apr 16, 2026 6:26pm
react-email-demo	Ready	Preview, Comment	Apr 16, 2026 6:26pm

[cubic-dev-ai]

1 issue found across 2 files

Confidence score: 3/5

• There is a concrete regression risk in package.json: pinning Express 4.x to path-to-regexp@^0.2.0 may change route matching behavior compared with the expected 0.1.x line.
• The issue is moderately severe (7/10) with solid confidence (7/10), so this is not a merge-blocker by itself but it does introduce user-facing routing uncertainty.
• This PR can likely merge safely after confirming route compatibility or reverting the override to the 0.1.x range for Express 4.
• Pay close attention to package.json - dependency override may alter route pattern semantics and break existing routes.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="package.json">

<violation number="1" location="package.json:71">
P1: Forcing Express 4.x to `path-to-regexp@^0.2.0` can break route matching semantics. Keep Express 4 on the `0.1.x` line unless you also validate/migrate route patterns for the behavior changes.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Forcing Express 4.x to path-to-regexp@^0.2.0 can break route matching semantics. Keep Express 4 on the 0.1.x line unless you also validate/migrate route patterns for the behavior changes.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 71:

<comment>Forcing Express 4.x to `path-to-regexp@^0.2.0` can break route matching semantics. Keep Express 4 on the `0.1.x` line unless you also validate/migrate route patterns for the behavior changes.</comment>

<file context>
@@ -68,7 +68,7 @@
       "express>body-parser": "^1.20.3",
       "express>cookie": "^0.7.0",
-      "express>path-to-regexp": "^0.1.13",
+      "express>path-to-regexp": "^0.2.0",
       "express>qs": "^6.14.2",
       "express>send": "^0.19.0",
</file context>

Suggested change

	"express>path-to-regexp": "^0.2.0",
	"express>path-to-regexp": "^0.1.13",

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^0.2.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.