Gathering detailed insights and metrics for path-to-regexp
Gathering detailed insights and metrics for path-to-regexp
Turn a path string such as `/user/:name` into a regular expression
Installations
npm install path-to-regexpDeveloper Guide
BETA
Typescript
No
Module System
CommonJS, ESM
Min. Node Version
>=16
Node Version
20.12.1
NPM Version
10.5.0
Score
99.8
Supply Chain
99.5
Quality
87.5
Maintenance
100
Vulnerability
100
License
Releases
29
Languages
1
TypeScript
TypeScript (100%)
Developer
pillarjs
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
8,441 Stars
349 Commits
437 Forks
65 Watchers
18 Branches
52 Contributors
Updated on Jul 14, 2025
Maintainers
5
Package Meta Information
Latest Version
8.2.0
Package Id
path-to-regexp@8.2.0
Unpacked Size
53.95 kB
Size
13.17 kB
File Count
6
NPM Version
10.5.0
Node Version
20.12.1
Published on
Sep 26, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Path-to-RegExp
Turn a path string such as
/user/:nameinto a regular expression.
Installation
npm install path-to-regexp --save
Usage
1const { 2 match, 3 pathToRegexp, 4 compile, 5 parse, 6 stringify, 7} = require("path-to-regexp");
Parameters
Parameters match arbitrary strings in a path by matching up to the end of the segment, or up to any proceeding tokens. They are defined by prefixing a colon to the parameter name (:foo). Parameter names can use any valid JavaScript identifier, or be double quoted to use other characters (:"param-name").
1const fn = match("/:foo/:bar"); 2 3fn("/test/route"); 4//=> { path: '/test/route', params: { foo: 'test', bar: 'route' } }
Wildcard
Wildcard parameters match one or more characters across multiple segments. They are defined the same way as regular parameters, but are prefixed with an asterisk (*foo).
1const fn = match("/*splat"); 2 3fn("/bar/baz"); 4//=> { path: '/bar/baz', params: { splat: [ 'bar', 'baz' ] } }
Optional
Braces can be used to define parts of the path that are optional.
1const fn = match("/users{/:id}/delete"); 2 3fn("/users/delete"); 4//=> { path: '/users/delete', params: {} } 5 6fn("/users/123/delete"); 7//=> { path: '/users/123/delete', params: { id: '123' } }
Match
The match function returns a function for matching strings against a path:
- path String or array of strings.
- options (optional) (Extends pathToRegexp options)
- decode Function for decoding strings to params, or
falseto disable all processing. (default:decodeURIComponent)
- decode Function for decoding strings to params, or
1const fn = match("/foo/:bar");
Please note: path-to-regexp is intended for ordered data (e.g. paths, hosts). It can not handle arbitrarily ordered data (e.g. query strings, URL fragments, JSON, etc).
PathToRegexp
The pathToRegexp function returns a regular expression for matching strings against paths. It
- path String or array of strings.
- options (optional) (See parse for more options)
- sensitive Regexp will be case sensitive. (default:
false) - end Validate the match reaches the end of the string. (default:
true) - delimiter The default delimiter for segments, e.g.
[^/]for:namedparameters. (default:'/') - trailing Allows optional trailing delimiter to match. (default:
true)
- sensitive Regexp will be case sensitive. (default:
1const { regexp, keys } = pathToRegexp("/foo/:bar");
Compile ("Reverse" Path-To-RegExp)
The compile function will return a function for transforming parameters into a valid path:
- path A string.
- options (See parse for more options)
- delimiter The default delimiter for segments, e.g.
[^/]for:namedparameters. (default:'/') - encode Function for encoding input strings for output into the path, or
falseto disable entirely. (default:encodeURIComponent)
- delimiter The default delimiter for segments, e.g.
1const toPath = compile("/user/:id"); 2 3toPath({ id: "name" }); //=> "/user/name" 4toPath({ id: "café" }); //=> "/user/caf%C3%A9" 5 6const toPathRepeated = compile("/*segment"); 7 8toPathRepeated({ segment: ["foo"] }); //=> "/foo" 9toPathRepeated({ segment: ["a", "b", "c"] }); //=> "/a/b/c" 10 11// When disabling `encode`, you need to make sure inputs are encoded correctly. No arrays are accepted. 12const toPathRaw = compile("/user/:id", { encode: false }); 13 14toPathRaw({ id: "%3A%2F" }); //=> "/user/%3A%2F"
Stringify
Transform TokenData (a sequence of tokens) back into a Path-to-RegExp string.
- data A
TokenDatainstance
1const data = new TokenData([ 2 { type: "text", value: "/" }, 3 { type: "param", name: "foo" }, 4]); 5 6const path = stringify(data); //=> "/:foo"
Developers
- If you are rewriting paths with match and compile, consider using
encode: falseanddecode: falseto keep raw paths passed around. - To ensure matches work on paths containing characters usually encoded, such as emoji, consider using encodeurl for
encodePath.
Parse
The parse function accepts a string and returns TokenData, the set of tokens and other metadata parsed from the input string. TokenData is can used with match and compile.
- path A string.
- options (optional)
- encodePath A function for encoding input strings. (default:
x => x, recommended:encodeurl)
- encodePath A function for encoding input strings. (default:
Tokens
TokenData is a sequence of tokens, currently of types text, parameter, wildcard, or group.
Custom path
In some applications, you may not be able to use the path-to-regexp syntax, but still want to use this library for match and compile. For example:
1import { TokenData, match } from "path-to-regexp"; 2 3const tokens = [ 4 { type: "text", value: "/" }, 5 { type: "parameter", name: "foo" }, 6]; 7const path = new TokenData(tokens); 8const fn = match(path); 9 10fn("/test"); //=> { path: '/test', index: 0, params: { foo: 'test' } }
Errors
An effort has been made to ensure ambiguous paths from previous releases throw an error. This means you might be seeing an error when things worked before.
Unexpected ? or +
In past releases, ?, *, and + were used to denote optional or repeating parameters. As an alternative, try these:
- For optional (
?), use an empty segment in a group such as/:file{.:ext}. - For repeating (
+), only wildcard matching is supported, such as/*path. - For optional repeating (
*), use a group and a wildcard parameter such as/files{/*path}.
Unexpected (, ), [, ], etc.
Previous versions of Path-to-RegExp used these for RegExp features. This version no longer supports them so they've been reserved to avoid ambiguity. To use these characters literally, escape them with a backslash, e.g. "\\(".
Missing parameter name
Parameter names must be provided after : or *, and they must be a valid JavaScript identifier. If you want an parameter name that isn't a JavaScript identifier, such as starting with a number, you can wrap the name in quotes like :"my-name".
Unterminated quote
Parameter names can be wrapped in double quote characters, and this error means you forgot to close the quote character.
Express <= 4.x
Path-To-RegExp breaks compatibility with Express <= 4.x in the following ways:
- The wildcard
*must have a name, matching the behavior of parameters:. - The optional character
?is no longer supported, use braces instead:/:file{.:ext}. - Regexp characters are not supported.
- Some characters have been reserved to avoid confusion during upgrade (
()[]?+!). - Parameter names now support valid JavaScript identifiers, or quoted like
:"this".
License
MIT
High
7.5/10
Summary
path-to-regexp contains a ReDoS
Affected Versions
< 0.1.12
Patched Versions
0.1.12
High
7.5/10
Summary
path-to-regexp outputs backtracking regular expressions
Affected Versions
>= 4.0.0, < 6.3.0
Patched Versions
6.3.0
High
7.5/10
Summary
path-to-regexp outputs backtracking regular expressions
Affected Versions
>= 7.0.0, < 8.0.0
Patched Versions
8.0.0
High
7.5/10
Summary
path-to-regexp outputs backtracking regular expressions
Affected Versions
>= 2.0.0, < 3.3.0
Patched Versions
3.3.0
High
7.5/10
Summary
path-to-regexp outputs backtracking regular expressions
Affected Versions
>= 0.2.0, < 1.9.0
Patched Versions
1.9.0
High
7.5/10
Summary
path-to-regexp outputs backtracking regular expressions
Affected Versions
< 0.1.10
Patched Versions
0.1.10
Reason
no binaries found in the repo
Reason
26 different organizations found -- score normalized to 10
Details
- Info: contributors work for DefinitelyTyped,TypeStrong,alm-tools,apex,borderless,clibs,cojs,component,expressjs,github-beta,gohttp,hackreactor,jshttp,jstrace,koajs,nanodb,pillarjs,reworkcss,senchalabs,serviejs,slate,standardschema,typed-typings,typings,visionmedia,zeromq
Reason
no dangerous workflow patterns detected
Reason
update tool detected
Details
- Info: tool 'Dependabot' is used: .github/dependabot.yml:1
Reason
license file detected
Details
- Info: License file found in expected location: LICENSE:1
- Info: FSF or OSI recognized license: LICENSE:1
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32
- Info: topLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:20
- Info: no jobLevel write permissions found
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/pillarjs/.github/SECURITY.md:1
- Info: Found linked content: github.com/pillarjs/.github/SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy: On GitHub: Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities. On GitLab: Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project. Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
- Info: Found text in security policy: github.com/pillarjs/.github/SECURITY.md:1
Reason
6 out of 8 merged PRs checked by a CI test -- score normalized to 7
Reason
4 commit(s) out of 30 and 5 issue activity out of 30 found in the last 90 days -- score normalized to 7
Reason
SAST tool detected but not run on all commits
Details
- Warn: 1 commits out of 8 are checked with a SAST tool
- Info: SAST tool detected: CodeQL
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'force pushes' disabled on branch 'master'
- Info: 'allow deletion' disabled on branch 'master'
- Warn: no status checks found to merge onto branch 'master'
- Warn: number of required reviewers is only 1 on branch 'master'
- Info: settings apply to administrators on branch 'master'
Reason
dependency not pinned by hash detected -- score normalized to 5
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/path-to-regexp/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/path-to-regexp/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/path-to-regexp/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/path-to-regexp/codeql.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/path-to-regexp/codeql.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/path-to-regexp/codeql.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/pillarjs/path-to-regexp/codeql.yml/master?enable=pin
- Info: 3 out of 9 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 2 third-party GitHubAction dependencies pinned
- Info: 1 out of 1 npmCommand dependencies pinned
Reason
7 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-x574-m823-4x7w
- Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8
- Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
Reason
found 22 unreviewed changesets out of 30 -- score normalized to 2
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project. Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
- Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI. Over time, try to add fuzzing for more functionalities of your project. (High effort)
- Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project: QuickCheck: https://hackage.haskell.org/package/QuickCheck hedgehog: https://hedgehog.qa/ validity: https://github.com/NorfairKing/validity smallcheck: https://hackage.haskell.org/package/smallcheck hspec: https://hspec.github.io/ tasty: https://hackage.haskell.org/package/tasty (High effort)
- Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
- Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
Score
6.8
/10
Last Scanned on 2025-07-07T21:25:37Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More