@lhci/cli dependency on Express 4 introduces vulnerable path-to-regexp #1114
Description
Hi Lighthouse CI team 👋
While reviewing dependencies in our project, we noticed that @lhci/cli still depends on Express 4, which pulls in an outdated version of [email protected].
Unfortunately, all versions <3.3.0 are considered vulnerable to ReDoS (Regular Expression Denial of Service) attacks (see: Snyk advisory
).
Current dependency chain
@lhci/[email protected]
└─ [email protected]
└─ [email protected]
Why this matters
- Security scanners (npm audit, Snyk, Dependabot) flag this as a vulnerability.
- Since there’s no patched 0.1.x branch, the only fix is upgrading to ≥3.3.0.
- This leaves projects with a permanent audit warning if they rely on @lhci/cli.
Possible solutions
- Upgrade Lighthouse CI’s internal routing to a newer Express version that uses path-to-regexp >=3.3.0.
- Replace Express entirely (only a subset of its functionality may be needed for LHCI).
- Alternatively, add a plan for moving off express@4 to reduce dependency risk.
Questions
- Is there already a roadmap for migrating off Express 4 in LHCI?
- Would you accept a PR that replaces or upgrades the routing layer?
Thanks for maintaining Lighthouse CI.