GHSA-q5qw-h33p-qvwr

## Summary

When using `serveStatic` together with route-based middleware protections (e.g. `app.use('/admin/*', ...)`), inconsistent URL decoding allowed protected static resources to be accessed without authorization.

The router used `decodeURI`, while `serveStatic` used `decodeURIComponent`. This mismatch allowed paths containing encoded slashes (`%2F`) to bypass middleware protections while still resolving to the intended filesystem path.

## Details

The routing layer preserved `%2F` as a literal string, while `serveStatic` decoded it into `/` before resolving the file path.

Example:

Request: `/admin%2Fsecret.html`

- Router sees: `/admin%2Fsecret.html` → does not match `/admin/*` - Static handler resolves: `/admin/secret.html`

As a result, static files under the configured static root could be served without triggering route-based protections.

This only affects applications that both:

- Protect subpaths using route-based middleware, and - Serve files from the same static root using `serveStatic`.

This does **not** allow access outside the static root and is **not** a path traversal vulnerability.

## Impact

An unauthenticated attacker could bypass route-based authorization for protected static resources by supplying paths containing encoded slashes.

Applications relying solely on route-based middleware to protect static subpaths may have exposed those resources.