Skip to content

fix: resolve minimatch high severity vulnerabilities in CLI#10944

Open
github-actions[bot] wants to merge 1 commit intomainfrom
fix/minimatch-vulnerability
Open

fix: resolve minimatch high severity vulnerabilities in CLI#10944
github-actions[bot] wants to merge 1 commit intomainfrom
fix/minimatch-vulnerability

Conversation

@github-actions
Copy link

@github-actions github-actions bot commented Mar 1, 2026
edited by cubic-dev-ai bot
Loading

Summary

This PR fixes three high severity security vulnerabilities in the minimatch dependency.

Vulnerabilities Fixed

Vulnerability Severity Description
SNYK-JS-MINIMATCH-15309438 High Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-15353387 High Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-15353389 High Inefficient Algorithmic Complexity

Root Cause

The vulnerable minimatch@9.0.5 was introduced as a transitive dependency through:

@sentry/profiling-node > @sentry/node > minimatch@9.0.5

Solution

Added an npm overrides section in package.json to force @sentry/node to use minimatch@^9.0.7, which contains fixes for all three vulnerabilities.

Verification

After applying the fix, running npx snyk test confirms that all high severity vulnerabilities are resolved:

  • Before: 8 issues found (3 high severity security vulnerabilities)
  • After: 5 issues found (all medium severity license issues, no security vulnerabilities)

Generated with Continue

Continue Tasks: ❌ 7 failed — View all

Summary by cubic

Fixes three high-severity minimatch vulnerabilities (ReDoS/algorithmic complexity) in the CLI by forcing @sentry/node to use minimatch >=9.0.7. Snyk now reports no security vulnerabilities.

  • Dependencies
    • Added npm overrides in extensions/cli/package.json to pin minimatch to ^9.0.7 under @sentry/node; lockfile now resolves to minimatch 9.0.9.

Written for commit eddf857. Summary will update on new commits.

fix: add npm override to resolve minimatch vulnerabilities
eddf857 
Add an npm override to force @sentry/node to use minimatch@^9.0.7,
which fixes three high severity vulnerabilities:

- SNYK-JS-MINIMATCH-15309438 (ReDoS)
- SNYK-JS-MINIMATCH-15353387 (ReDoS)
- SNYK-JS-MINIMATCH-15353389 (Inefficient Algorithmic Complexity)

The vulnerable minimatch@9.0.5 was a transitive dependency introduced
by @sentry/profiling-node > @sentry/node.

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <noreply@continue.dev>
@github-actions github-actions bot requested a review from a team as a code owner March 1, 2026 09:10
@github-actions github-actions bot requested review from RomneyDa and removed request for a team March 1, 2026 09:10
@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Mar 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RomneyDa RomneyDa Awaiting requested review from RomneyDa RomneyDa is a code owner automatically assigned from continuedev/continue-code-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

continue-agent size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

Issues and PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants