## Security Patch: High-Severity ReDoS Vulnerability in Lighthouse CI Toolchain Fixed via pnpm Override
A high-severity security vulnerability in a critical dependency chain has been patched using a targeted package manager override. The fix addresses a confirmed ReDoS (Regular Expression Denial of Service) flaw in the `path-to-regexp` library, version 0.1.12, which was being pulled in as a transitive dependency. This vulnerable component was buried within the toolchain of `@lhci/cli`, the command-line interface for Google's Lighthouse CI performance testing framework, via the `express` web server library.

The vulnerability, tracked as GHSA-37ch-88jc-xwx2, is rated as high severity. It stems from the library's failure to properly sanitize specific regex patterns in route parameters, creating a vector for a denial-of-service attack. Because the vulnerable version is a peer dependency controlled by an automated update tool (Renovate), direct patching was not feasible. The remediation involved adding a specific version override (`path-to-regexp: ">=0.1.13"`) to the project's `pnpm.overrides` configuration file, forcing the use of the patched version.

This targeted fix has successfully resolved the high-severity issue within the CI pipeline. Post-remediation security audits now pass the configured threshold, with only two low-severity advisories related to the `tmp` package remaining, which are below the CI's failure level. The action unblocks development and deployment workflows that were potentially exposed to the ReDoS risk through the performance testing infrastructure.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, ReDoS, dependency, CI/CD
- **Credibility**: unverified
- **Published**: 2026-03-28 10:26:59
- **ID**: 38933
- **URL**: https://whisperx.ai/en/intel/38933