path-to-regexp Patches CVE-2026-4926 and CVE-2026-4923 in Version 8.4.0 Security Update

The path-to-regexp library has been updated to version 8.4.0, addressing two documented security vulnerabilities identified as CVE-2026-4926 and CVE-2026-4923. The update includes fixes that restrict wildcard backtracking when more than one wildcard appears in a path, a pattern that could otherwise expose applications to potential ReDoS (Regular Expression Denial of Service) risks. The dependency was bumped alongside express, with which it is commonly used in Node.js application stacks.

The security advisories GHSA-j3q9-mxjg-w52f and GHSA-27v5-c462-wpq7 correspond to the two patched CVEs. Organizations using path-to-regexp in production environments should verify their dependency versions, particularly those running applications that handle user-supplied path parameters or route definitions. The previous version, 8.3.0, is now flagged as potentially vulnerable.

Developers maintaining projects that rely on path-to-regexp for URL routing and path matching are advised to audit their dependency trees and apply the update where feasible. The simultaneous update with express suggests coordinated release timing, likely to ensure compatibility between the routing library and the underlying framework. This follows a broader pattern in the Node.js ecosystem where security patches trigger coordinated dependency updates across related packages.