Transitive minimatch dependency vulnerable to ReDoS (CVE-2026-26996)

[rycerrat]

Search terms

minimatch ReDoS CVE-2026-26996 vulnerability transitive dependency security

Expected Behavior

typedoc's transitive dependencies should not contain known HIGH severity vulnerabilities.

Actual Behavior

typedoc@0.28.13 (and through at least 0.28.17) depends on minimatch@^9.0.5, which is vulnerable to CVE-2026-26996 — a ReDoS attack via repeated wildcards with a non-matching literal in the pattern.

This causes security scanners (e.g. Trivy) to flag projects that depend on typedoc.

Steps to reproduce the bug

1. Install typedoc@0.28.17
2. Run a vulnerability scanner against node_modules (e.g. trivy fs --scanners vuln .)
3. Observe HIGH finding for minimatch pulled in by typedoc

Environment

• TypeDoc version: 0.28.13 (also verified against 0.28.17)
• TypeScript version: N/A (dependency issue, not a TypeScript compilation issue)
• Node.js version: N/A
• OS: macOS

[Gerrit0]

"HIGH" is such a ridiculous misnomer here. Risk is not absolute. This vulnerability is only possible to trigger from TypeDoc's usage if you are building documentation for untrusted code.

TypeDoc's dependency version range permits the fixed version, a npm audit fix or even just installing without a lockfile will pick up the fixed version...

[rycerrat]

Hey thanks @Gerrit0 -- agreed.

[CamJN]

@Gerrit0

TypeDoc's dependency version range permits the fixed version, a npm audit fix or even just installing without a lockfile will pick up the fixed version...

I think you might be thinking of the markdown-it thing, minimatch 10 is not allowed by the range minimatch@^9.0.5

Agreed about the assigned severity being silly though.

[Gerrit0]

Oh shoot, I didn't realize there was another one...

TypeDoc 0.28 can't be updated to a new minimatch version as minimatch 10 introduces a breaking change which drops Node versions supported by this TypeDoc version.

I guess 0.29 is more imminent than I was planning...

[Gerrit0]

... or not! Apparently isaacs decided to reduce the version requirement for version 10, yay!

isaacs/minimatch@35d9ee9

[Gerrit0]

Unfortunately the newer version of minimatch pulls in a newer version of brace-expansion, which is broken when expanding brackets - juliangruber/brace-expansion#87

[benmccann]

If you don't mind doing a 0.29 release you could switch to picomatch, which has no dependencies

[Gerrit0]

TypeDoc depends on features which are not supported by picomatch. micromatch might be a suitable replacement, but I expect I'll just end up waiting for brace-expansion's fix.

In the meantime, minimatch has published a v9 patch with the CVE fix, so npm audit fix or installing without a lockfile will pick up a fix, so I don't see any urgency for typedoc to publish. Given that it's already Sunday, it will probably be next week.

[cam-narzt]

Yeah if it's worth anything, I agree with sticking with minimatch and waiting, especially now that there's a 9.* stream fix we can grab.

[benmccann]

Sounds good. Though I'd be very surprised if it does actually depends on features not in picomatch. The picomatch readme is rather unclear about the point (I've had a PR pending there to clarify), but it does support most brace expansions. I'd be happy to clarify whether picomatch might support it if you're interested in that route and able to share which feature you're concerned about