Skip to content

fix: upgrade minimatch to patched versions to resolve ReDoS vulnerabilities#162

Open
Copilot wants to merge 1 commit intomainfrom
copilot/fix-minimatch-redos-vulnerability
Open

fix: upgrade minimatch to patched versions to resolve ReDoS vulnerabilities#162
Copilot wants to merge 1 commit intomainfrom
copilot/fix-minimatch-redos-vulnerability

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 29, 2026

Summary

Fixes Dependabot security alerts #58 and #60 for minimatch ReDoS vulnerabilities.

Vulnerability Details

Two ReDoS (Regular Expression Denial of Service) vulnerabilities were found in transitive minimatch dependencies:

  1. Combinatorial backtracking via multiple non-adjacent GLOBSTAR segments (matchOne())
  2. Nested *() extglobs generating catastrophically backtracking regular expressions

Both are rated High severity and affect development dependencies only.

Root Cause

The yarn.lock contained two vulnerable minimatch versions:

  • minimatch@3.1.2 (needs ≥ 3.1.4 for full patch coverage) — used by eslint, eslint-plugin-react, jest
  • minimatch@9.0.5 (needs ≥ 9.0.7) — used by glob

minimatch@10.2.4 was already safe (≥ 10.2.3).

Fix

Added yarn selective resolutions to package.json:

"resolutions": {
  "minimatch": "3.1.5",
  "glob/minimatch": "9.0.9",
  "@typescript-eslint/typescript-estree/minimatch": "10.2.4"
}

This upgrades:

  • minimatch@3.1.23.1.5 ✅ patched
  • minimatch@9.0.59.0.9 ✅ patched
  • minimatch@10.2.4 preserved as-is ✅ already patched

Verification

  • All existing tests pass (yarn test)
  • Code review: no issues
  • Security scan (CodeQL): no new alerts

@maximizeIT
fix: upgrade minimatch to patched versions to resolve ReDoS vulnerabi…
a32ec9d 
…lities

- Add yarn resolutions to pin minimatch@3.1.5 (was 3.1.2, vulnerable to ReDoS)
- Add yarn resolution glob/minimatch@9.0.9 (was 9.0.5, vulnerable to ReDoS)
- Preserve @typescript-eslint/typescript-estree/minimatch@10.2.4 (already safe)

Fixes Dependabot alerts #58 and #60.

Co-authored-by: GitHub Copilot <copilot@noreply.github.com>

Agent-Logs-Url: https://github.com/Staffbase/create-staffbase-plugin-nodejs/sessions/66593851-1c94-45c1-9ed5-0a0989a3b489

Co-authored-by: maximizeIT <8626039+maximizeIT@users.noreply.github.com>
Copilot AI requested a review from maximizeIT March 29, 2026 07:20
@maximizeIT maximizeIT marked this pull request as ready for review March 29, 2026 07:44
@maximizeIT maximizeIT requested a review from a team as a code owner March 29, 2026 07:44
@maximizeIT maximizeIT enabled auto-merge March 29, 2026 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Anthony-Esposito-SB Anthony-Esposito-SB Awaiting requested review from Anthony-Esposito-SB Anthony-Esposito-SB is a code owner automatically assigned from Staffbase/cs-tech

1 more reviewer

@maximizeIT maximizeIT maximizeIT approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@maximizeIT maximizeIT

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maximizeIT