Skip to content

fix(security): patch minimatch ReDoS and critical decompress CVE#135

Merged
igoroctaviano merged 1 commit into
masterfrom
fix/security-minimatch-decompress-v3.12.5
Jul 6, 2026
Merged

fix(security): patch minimatch ReDoS and critical decompress CVE#135
igoroctaviano merged 1 commit into
masterfrom
fix/security-minimatch-decompress-v3.12.5

Conversation

@igoroctaviano

Copy link
Copy Markdown
Collaborator

Summary

Follow-up to #134 — that PR merged the first security commit but not this one, which addresses the remaining 18 minimatch and 1 critical decompress Dependabot alerts.

  • Bump all minimatch lines (3.x → 3.1.4, 5.x → 5.1.8, 9.x → 9.0.7, 10.x → 10.2.3) in root and platform/docs/yarn.lock
  • Redirect unmaintained decompress@4.2.1 to @xhmikosr/decompress@11.1.3 via yarn resolution (fixes CVE-2026-53486, transitive via @itk-wasm/dam)

Test plan

- Bump minimatch 3.x/5.x/9.x/10.x to patched versions in both lockfiles
- Redirect unmaintained decompress to @xhmikosr/decompress@11.1.3 via resolution
  (fixes CVE-2026-53486 / GHSA-mp2f-45pm-3cg9 from @itk-wasm/dam chain)
@igoroctaviano
igoroctaviano merged commit 78b2766 into master Jul 6, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant