security: minimatch has high CVE-2026-26996

[EinfachHans]

Current Behavior

minimatch is currently vulnerable: GHSA-3ppc-4f35-3m26

In the catalog it is currently set as

minimatch: '10.1.1'

Expected Behavior

Please update to a non-vulnurable version

GitHub Repo

No response

Steps to Reproduce

Audit check

Nx Report

Node           : 24.13.0
OS             : darwin-arm64
Native Target  : aarch64-macos
npm            : 10.9.2
daemon         : Disabled

nx                     : 22.5.1
@nx/js                 : 22.5.1
@nx/eslint             : 22.5.1
@nx/workspace          : 22.5.1
@nx/angular            : 22.5.1
@nx/jest               : 22.5.1
@nx/devkit             : 22.5.1
@nx/eslint-plugin      : 22.5.1
@nx/module-federation  : 22.5.1
@nx/rspack             : 22.5.1
@nx/web                : 22.5.1
@nx/webpack            : 22.5.1
typescript             : 5.9.3
---------------------------------------
Community plugins:
@maskito/angular   : 5.1.0
@ngrx/signals      : 21.0.1
@ngxpert/hot-toast : 6.1.0
angular-eslint     : 21.2.0
ng-mocks           : 14.15.1
---------------------------------------
Cache Usage: 0.00 B / 46.04 GB

Failure Logs

Package Manager Version

No response

Operating System

• macOS
• Linux
• Windows
• Other (Please specify)

Additional Information

No response

[jbocce]

Note also that @nx/devkit has transitive dependencies to minimatch@3.1.2 via ejs@3.1.10-->jake@10.9.2 and to minimatch@5.1.6 via ejs@3.1.10-->jake@10.9.2-->filelist@1.0.4

[github-actions]

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.