`pnpm audit` shows a vulnerability; `pnpm why` doesn't list it

Question

I'm trying to resolve a security vulnerability Node packages. The vulnerability is reported by both pnpm and Dependabot. The package manager is pnpm on this repo.

pnpm audit shows:

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ path-to-regexp outputs backtracking regular            │
│                     │ expressions                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ path-to-regexp                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=2.0.0 <3.3.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.3.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > *redacted* > *redacted* >                          │
│                     │ @nestjs/platform-fastify@10.3.9 > path-to-regexp@3.2.0 │
│                     │                                                        │
│                     │ . > *redacted* >                                       │
│                     │ @nestjs/platform-fastify@10.3.9 > path-to-regexp@3.2.0 │
│                     │                                                        │
│                     │ . > path-to-regexp@3.2.0                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-9wv6-86v2-598j      │
└─────────────────────┴────────────────────────────────────────────────────────┘

pnpm why path-to-regexp --depth=10 shows

❯ p why path-to-regexp --depth=10
Legend: production dependency, optional only, dev only

*redacted*

dependencies:
*redacted*
├─┬ @nestjs/core 10.4.12 peer
│ ├─┬ @nestjs/platform-express 10.4.12 peer
│ │ └─┬ express 4.21.1
│ │   └── path-to-regexp 0.1.10
│ └── path-to-regexp 3.3.0
├─┬ @nestjs/platform-express 10.4.12 peer
│ ├─┬ @nestjs/core 10.4.12 peer
│ │ └── path-to-regexp 3.3.0
│ └─┬ express 4.21.1
│   └── path-to-regexp 0.1.10
├─┬ @nestjs/testing 10.4.12 peer
│ ├─┬ @nestjs/core 10.4.12 peer
│ │ └── path-to-regexp 3.3.0
│ └─┬ @nestjs/platform-express 10.4.12 peer
│   └─┬ express 4.21.1
│     └── path-to-regexp 0.1.10
└─┬ nestjs-console 9.0.0 peer
  └─┬ @nestjs/core 10.4.12 peer
    └── path-to-regexp 3.3.0
*redacted*
└─┬ *redacted* peer
  └─┬ @nestjs/swagger 8.0.7 peer
    ├─┬ @nestjs/core 10.4.12 peer
    │ ├─┬ @nestjs/platform-express 10.4.12 peer
    │ │ └─┬ express 4.21.1
    │ │   └── path-to-regexp 0.1.10
    │ └── path-to-regexp 3.3.0
    └── path-to-regexp 3.3.0

devDependencies:
@nestjs/testing 10.4.12
├─┬ @nestjs/core 10.4.12 peer
│ ├─┬ @nestjs/platform-express 10.4.12 peer
│ │ └─┬ express 4.21.1
│ │   └── path-to-regexp 0.1.10
│ └── path-to-regexp 3.3.0
└─┬ @nestjs/platform-express 10.4.12 peer
  ├─┬ @nestjs/core 10.4.12 peer
  │ └── path-to-regexp 3.3.0
  └─┬ express 4.21.1
    └── path-to-regexp 0.1.10
nestjs-console 9.0.0
└─┬ @nestjs/core 10.4.12 peer
  ├─┬ @nestjs/platform-express 10.4.12 peer
  │ └─┬ express 4.21.1
  │   └── path-to-regexp 0.1.10
  └── path-to-regexp 3.3.0

Nowhere does pnpm why show path-to-regexp@3.2.0, so it's unclear to me where the vulnerable dependency is coming from. Dependabot and pnpm audit both flag the same vulnerability.

What am I missing? Thanks.

---

Interestingly this is in pnpm.lock:

  '@nestjs/platform-fastify@10.3.9(@nestjs/common@10.4.12(class-transformer@0.5.1)(class-validator@0.14.1)(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.4.12)':
    dependencies:
      '@fastify/cors': 9.0.1
      '@fastify/formbody': 7.4.0
      '@fastify/middie': 8.3.1
      '@nestjs/common': 10.4.12(class-transformer@0.5.1)(class-validator@0.14.1)(reflect-metadata@0.2.2)(rxjs@7.8.1)
      '@nestjs/core': 10.4.12(@nestjs/common@10.4.12(class-transformer@0.5.1)(class-validator@0.14.1)(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.4.12)(reflect-metadata@0.2.2)(rxjs@7.8.1)
      fastify: 4.27.0
      light-my-request: 5.13.0
      path-to-regexp: 3.2.0
      tslib: 2.6.2

but I'm not sure why.

Answer 1

As Estus Flask mentioned, the resolved dependency in the pnpm.lock file was the culprit. Overriding the dependency resolves the vulnerability. In package.json:

  "pnpm": {
    "overrides": {
      "path-to-regexp@>=3.2.0 <3.3.0": "^3.3.0"
    }
  },

This means "for each transitive dependency path-to-regexp between 3.2.0 inclusive and 3.3.0 exclusive, use path-to-regexp version 3.3.0 or higher, up to but not including 4.0.0". This means that vulnerable packages are patched, but higher versions are ignored.