chore(monorepo): update pnpm.catalog.default minimatch to v10.2.1 [security]#210
chore(monorepo): update pnpm.catalog.default minimatch to v10.2.1 [security]#210renovate[bot] wants to merge 1 commit intomainfrom
Conversation
Branch automerge failureThis PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
|
DeepSource reviewed changes in the commit range For detailed review results, please see the PR on DeepSource ↗ PR Report Card
Code Review Summary
How are these analyzer statuses calculated?Administrators can configure which issue categories are reported and cause analysis to be marked as failed when detected. This helps prevent bad and insecure code from being introduced in the codebase. If you're an administrator, you can modify this in the repository's settings. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
This PR contains the following updates:
10.0.3→10.2.1GitHub Vulnerability Alerts
CVE-2026-26996
Summary
minimatchis vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive*wildcards followed by a literal character that doesn't appear in the test string. Each*compiles to a separate[^/]*?regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.The time complexity is O(4^N) where N is the number of
*characters. With N=15, a singleminimatch()call takes ~2 seconds. With N=34, it hangs effectively forever.Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
PoC
When minimatch compiles a glob pattern, each
*becomes[^/]*?in the generated regex. For a pattern like***************X***:When the test string doesn't contain
X, the regex engine must try every possible way to distribute the characters across all the[^/]*?groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.Impact
Any application that passes user-controlled strings to
minimatch()as the pattern argument is vulnerable to DoS. This includes:.gitignore-style filtering with user-defined rulesRelease Notes
isaacs/minimatch (minimatch)
v10.2.1Compare Source
v10.2.0Compare Source
v10.1.3Compare Source
v10.1.2Compare Source
v10.1.1Compare Source
v10.1.0Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.