pillarjs/path-to-regexp
Last release: 2 months ago
path-to-regexp turns human-readable path patterns like `/user/:name` into regular expressions for matching paths, and it can also convert parameters back into path strings (compile). It is useful for building route matching and generating paths in Node.js apps, with support for parameters, wildcards, and optional path segments.
Project status
- The repository appears actively maintained, with recent tagged updates (v8.4.0 to v8.4.2 between 2026-03-26 and 2026-04-01) and a latest upstream push on 2026-06-01.
- Update cadence looks relatively frequent for this period, with v8.4.1 following v8.4.0 about 4 days later, and v8.4.2 arriving about 2 days after v8.4.1.
AI summary generated Today
Recent updates
v8.4.2
2 months agov8.4.2 focuses on improving parsing and compilation performance while also fixing an error related to trailing backslashes in path patterns. The diff shows a substantial internal rewrite of parse(), removing prior tokenization logic and adding new targeted error cases and benchmarks.
v8.4.1
2 months agov8.4.1 fixes matching regressions related to trie deduplication removal and backtrack handling, specifically around wildcard behavior in non-ending mode and parameter backtracking. The code diff, however, shows a much larger internal rewrite of how path patterns are converted into RegExp source strings, including changes to capture quantifiers and key collection.
Breakingv8.4.0
2 months agoRelease v8.4.0 focuses on security and regex-safety improvements for path-to-regexp generation, including fixes for two CVEs. It also changes how generated regular expressions are built and adds guards against extremely large optional route combinations to prevent runaway regex growth.
Securityv.0.1.13
2 months agov0.1.13 is primarily a security release that fixes CVE-2026-4867 (GHSA-37ch-88jc-xwx2). The core path-to-RegExp implementation was also substantially rewritten, with changes that appear to affect how regular expressions are generated and how match parameter metadata is populated.
Securityv8.3.0
9 months agov8.3.0 focuses on parser and error handling refinements. The release notes mention adding a custom error class, allowing plain objects for `TokenData`, escaping backslashes correctly during stringify, and improving error messages and stack size, along with minifying the parser for smaller output.
Featuresv0.1.12
12/5/2024v0.1.12 focuses on fixing path-regexp backtracking behavior for the 0.1.x branch. The release notes state that the improved protection may cause some previously valid patterns to stop matching.
BreakingSecurityv8.2.0
9/26/2024v8.2.0 release notes only mention a compatibility fix, mainly changing the build target to ES2015 for older browsers and adjusting the generated RegExp flags (removing the `s` dotAll flag). The provided code diff from v6.3.0 to v8.2.0, however, shows a much larger refactor and API/package changes that are not covered by the short release notes.
Breakingv0.1.11
9/12/2024v0.1.11 is documented as adding an error for bad input values. The actual code diff shows a much larger rewrite of the path-to-regexp generation logic, including stricter input validation, new matching behavior options, and new key metadata handling.
BreakingFeaturesv6.3.0
9/12/2024v6.3.0 is described as a targeted fix to reduce catastrophic backtracking in the 6.x regular expression generation. The code diff shows the project also underwent a larger refactor around the parsing and build/export surface, beyond what is mentioned in the release notes.
v8.1.0
9/10/2024Release v8.1.0 is primarily a small surface API refresh, with release notes claiming two additions: bringing back `pathToRegexp` and adding `stringify` for converting `TokenData` into a path string. However, the actual diff shows a much larger public API and option-shape refactor in `src/index.ts`, plus significant parser/compiler behavior changes that are not described in the release notes.
Features