[cg-fixer] CVE-2026-4867: bump path-to-regexp to 0.1.13

[RishhiB]

Description

Resolves the CG alert for path-to-regexp@0.1.12 (CVE-2026-4867, high severity). Regenerates five affected pnpm lockfiles so the 0.1.x resolution moves to 0.1.13; no pnpm.overrides entry is needed since the dependency graph naturally resolves to the patched version once the lockfiles are regenerated.

Only the 0.1.x range is affected by this CVE. Newer major versions (1.9.0, 3.3.0, 8.2.0, 8.4.2) that coexist in these lockfiles already ship the fix and are untouched.

Lockfiles changed

• pnpm-lock.yaml — path-to-regexp@0.1.12 → 0.1.13
• docs/pnpm-lock.yaml — path-to-regexp@0.1.12 → 0.1.13
• server/routerlicious/pnpm-lock.yaml — path-to-regexp@0.1.12 → 0.1.13
• server/gitrest/pnpm-lock.yaml — path-to-regexp@0.1.12 → 0.1.13
• server/historian/pnpm-lock.yaml — path-to-regexp@0.1.12 → 0.1.13

Overrides

None. An override was applied temporarily to force the lockfile to pick up the patched version, then removed in Step 5 of the agentic-cg-override skill. Re-running pnpm install without the override kept every affected lockfile on 0.1.13, confirming the graph naturally resolves to a safe version.

Sanity check

• Lockfile churn scoped to target: yes. The four server/docs lockfiles change only the path-to-regexp@0.1.12 → 0.1.13 entries. The root pnpm-lock.yaml additionally grows a set of typescript@5.9.3-suffixed snapshot contexts for existing eslint/typescript-eslint packages — this is pnpm re-selecting among already-present typescript versions (5.4.5 and 5.9.3 both remain in the lockfile) and introduces no new top-level package versions.
• Suspicious version changes: none. No major-version bumps on unrelated packages; no packages removed or newly introduced.

Verification

• pnpm install --no-frozen-lockfile succeeds in each affected workspace.
• grep 'path-to-regexp@' <lockfile> shows only 0.1.13 (along with unaffected majors 1.x, 3.x, 8.x) in every affected lockfile.

Reviewer Guidance

The review process is outlined on this wiki page.

Root pnpm-lock.yaml has a larger diff than the others (+295/-16) because pnpm re-resolved the @fluidframework/eslint-config-fluid binding to the typescript@5.9.3 context that already exists in the lockfile. This is pure resolution context churn — both typescript@5.4.5 and typescript@5.9.3 were already present before this change.

---

Generated via the agentic-cg-override skill.

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (5)

• docs/pnpm-lock.yaml: Language not supported
• pnpm-lock.yaml: Language not supported
• server/gitrest/pnpm-lock.yaml: Language not supported
• server/historian/pnpm-lock.yaml: Language not supported
• server/routerlicious/pnpm-lock.yaml: Language not supported

[github-actions]

🔗 No broken links found! ✅

Your attention to detail is admirable.

linkcheck output

> fluid-framework-docs-site@0.0.0 ci:check-links /home/runner/work/FluidFramework/FluidFramework/docs
> start-server-and-test "npm run serve -- --no-open" 3000 check-links

1: starting server using command "npm run serve -- --no-open"
and when url "[ 'http://127.0.0.1:3000' ]" is responding with HTTP status code 200
running tests using command "npm run check-links"


> fluid-framework-docs-site@0.0.0 serve
> docusaurus serve --no-open

[SUCCESS] Serving "build" directory at: http://localhost:3000/

> fluid-framework-docs-site@0.0.0 check-links
> linkcheck http://localhost:3000 --skip-file skipped-urls.txt

Crawling...

Stats:
  287071 links
    1898 destination URLs
    2148 URLs ignored
       0 warnings
       0 errors