[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern#7002
Conversation
|
Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
G-Rath/advisory-improvement-7002
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed advisory record for GHSA-3ppc-4f35-3m26 to match the upstream minimatch advisory by refining affected version ranges and adding an additional reference.
Changes:
- Refined affected version range start for v10 and added explicit affected ranges for v3–v9.
- Added a new web reference link to the related upstream issue.
- Bumped the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "minimatch" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "9.0.0" | ||
| }, | ||
| { | ||
| "fixed": "9.0.6" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "minimatch" | ||
| }, | ||
| "ranges": [ |
There was a problem hiding this comment.
Multiple affected entries repeat the same { ecosystem: "npm", name: "minimatch" } package block, which increases duplication and makes future edits error-prone. Consider consolidating these into a single affected item for minimatch with multiple ranges entries so all version windows live under one package record.
|
All validations completed successfully.
This PR is ready for immediate merge. |
|
Are versions < 3.0.0 not vulnerable to this issue? I believe the changes in this update would suggest that. |
advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json
Outdated
Show resolved
Hide resolved
|
they are vulnerable, and there's no backports for them. |
|
Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
oh neat, submitting a "new" improvement does update the existing PR... Anyway, that's fixed now - thanks for catching it |
Thanks for updating it so quickly! And good to know :) I've always just closed the one with the error and opened a new one.. lol |
| "events": [ | ||
| { | ||
| "introduced": "10.0.0" | ||
| "introduced": "0" |
There was a problem hiding this comment.
I don't think we want introduced 0 here? It should stay 10.0.0 for this product, otherwise it creates some overlapping ranges that are in conflict with the other listed products.
There was a problem hiding this comment.
ugh you're right, but this wasn't my choice it's just what got generated by the advisory improvement submission - let me see if I can fix that for this PR, otherwise I'll close it and get a new one opened
There was a problem hiding this comment.
ok I think this was just my bad by way of just forgetting to update the original entry to be >= 10.0.0 🤦
There was a problem hiding this comment.
Looks good to me now. Thanks again @G-Rath!
|
Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
Not sure, but are additional reviews required here or is there something blocking this from being approved? cc: @isaacs |
|
We're waiting for a GH staff member to review and accept the change, which happens via an internal process - afaik nothing on this side of the PR directly impacts that, it just comes down to their bandwidth |
5 participants
Updates
Comments
Updated to match GHSA-3ppc-4f35-3m26