fix(deps): update dependency minimatch to v10 [security]#4184
Open
renovate[bot] wants to merge 2 commits intomainfrom
Open
fix(deps): update dependency minimatch to v10 [security]#4184renovate[bot] wants to merge 2 commits intomainfrom
renovate[bot] wants to merge 2 commits intomainfrom
Conversation
🦋 Changeset detectedLatest commit: a56084f The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
renovate
bot
force-pushed
the
chore/renovate/npm-minimatch-vulnerability
branch
from
3a2a328 to
63cd610
Compare
renovate
bot
force-pushed
the
chore/renovate/npm-minimatch-vulnerability
branch
from
4a49a73 to
bed528b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.0.5→10.2.1GitHub Vulnerability Alerts
CVE-2026-26996
Summary
minimatchis vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive*wildcards followed by a literal character that doesn't appear in the test string. Each*compiles to a separate[^/]*?regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.The time complexity is O(4^N) where N is the number of
*characters. With N=15, a singleminimatch()call takes ~2 seconds. With N=34, it hangs effectively forever.Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
PoC
When minimatch compiles a glob pattern, each
*becomes[^/]*?in the generated regex. For a pattern like***************X***:When the test string doesn't contain
X, the regex engine must try every possible way to distribute the characters across all the[^/]*?groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.Impact
Any application that passes user-controlled strings to
minimatch()as the pattern argument is vulnerable to DoS. This includes:.gitignore-style filtering with user-defined rulesRelease Notes
isaacs/minimatch (minimatch)
v10.2.1Compare Source
v10.2.0Compare Source
v10.1.3Compare Source
v10.1.2Compare Source
v10.1.1Compare Source
v10.1.0Compare Source
v10.0.3Compare Source
v10.0.2Compare Source
v10.0.1Compare Source
v10.0.0Compare Source
v9.0.5Compare Source
v9.0.4Compare Source
v9.0.3Compare Source
v9.0.2Compare Source
v9.0.1Compare Source
v9.0.0Compare Source
v8.0.4Compare Source
v8.0.3Compare Source
v8.0.2Compare Source
v8.0.1Compare Source
v8.0.0Compare Source
v7.4.6Compare Source
v7.4.5Compare Source
v7.4.4Compare Source
v7.4.3Compare Source
v7.4.2Compare Source
v7.4.1Compare Source
v7.4.0Compare Source
v7.3.0Compare Source
v7.2.0Compare Source
v7.1.4Compare Source
v7.1.3Compare Source
v7.1.2Compare Source
v7.1.1Compare Source
v7.1.0Compare Source
v7.0.1Compare Source
v7.0.0Compare Source
v6.2.0Compare Source
v6.1.10Compare Source
v6.1.9Compare Source
v6.1.8Compare Source
v6.1.7Compare Source
v6.1.6Compare Source
v6.1.5Compare Source
v6.1.4Compare Source
v6.1.3Compare Source
v6.1.2Compare Source
v6.1.1Compare Source
v6.1.0Compare Source
v6.0.4Compare Source
v6.0.3Compare Source
v6.0.2Compare Source
v6.0.1Compare Source
v6.0.0Compare Source
v5.1.6Compare Source
v5.1.5Compare Source
v5.1.4Compare Source
v5.1.3Compare Source
v5.1.2Compare Source
v5.1.1Compare Source
v5.1.0Compare Source
v5.0.1Compare Source
v5.0.0Compare Source
v4.2.3Compare Source
v4.2.2Compare Source
v4.2.1Compare Source
v4.2.0Compare Source
v4.1.1Compare Source
v4.1.0Compare Source
v4.0.0Compare Source
v3.1.2Compare Source
v3.1.1Compare Source
v3.1.0Compare Source
v3.0.8Compare Source
v3.0.7Compare Source
v3.0.6Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.