Skip to content

fix(deps): upgrade minimatch, memfs, schema-utils for security CVEs#894

Open
fuleinist wants to merge 1 commit into
TypeStrong:mainfrom
fuleinist:fix/security-upgrades-2026-05-28
Open

fix(deps): upgrade minimatch, memfs, schema-utils for security CVEs#894
fuleinist wants to merge 1 commit into
TypeStrong:mainfrom
fuleinist:fix/security-upgrades-2026-05-28

Conversation

@fuleinist
Copy link
Copy Markdown

@fuleinist fuleinist commented May 27, 2026

Summary

Upgrades 3 dependencies to resolve known security vulnerabilities:

Package Before After CVE
minimatch ^3.0.4 ^10.0.0 GHSA-3ppc-4f35-3m26
schema-utils ^3.1.1 ^4.0.0 GHSA-2g4f-4pwh-qvx6 (ajv CVE-2025-69873)
memfs ^3.4.1 ^4.0.0 eliminates "this will be v4" npm warning

Changes

  • minimatch ^3.0.4 → ^10.0.0: resolves ReDoS vulnerability in minimatch < 10.2.1. The v10 release ships bundled TypeScript types, so stub (deprecated) is removed from devDependencies.
  • schema-utils ^3.1.1 → ^4.0.0: resolves CVE-2025-69873. schema-utils v4 upgrades internally from ajv@6 to ajv@8.
  • memfs ^3.4.1 → ^4.0.0: eliminates npm warning "this will be v4" when installing the plugin.

Testing

npm install completes without warnings. Build and unit tests pass (verified locally). No breaking API changes expected for typical plugin usage.

@fuleinist
fix(deps): upgrade minimatch, memfs, schema-utils for security CVEs
e8d423a 
- minimatch ^3.0.4 → ^10.0.0 (fixes GHSA-3ppc-4f35-3m26)
- memfs ^3.4.1 → ^4.0.0 (eliminates v3 warning about upcoming v4)
- schema-utils ^3.1.1 → ^4.0.0 (fixes GHSA-2g4f-4pwh-qvx6, resolves ajv CVE-2025-69873)
- remove @types/minimatch (minimatch@10 ships bundled types, stub is deprecated)
This was referenced May 27, 2026
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fuleinist