[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern#7032
Conversation
|
Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
lpessoa/advisory-improvement-7032
There was a problem hiding this comment.
Pull request overview
This PR updates the security advisory GHSA-3ppc-4f35-3m26 for a minimatch ReDoS vulnerability to include fixes for legacy versions. The developer has implemented patches across multiple version ranges.
Changes:
- Updated the timestamp to reflect the modification
- Expanded the fixed versions to include patches for legacy version ranges (3.x, 4.x, 5.x, 6.x, 7.x, 8.x, 9.x) in addition to the latest 10.2.1
- Added database-specific metadata to track the last known affected version range
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "fixed": "10.2.1 || 3.1.3 || 4.2.4 || 5.1.7 || 6.2.1 || 7.4.7 || 8.0.5 || 9.0.6" | ||
| } | ||
| ] |
There was a problem hiding this comment.
The 'fixed' field format using '||' operators is non-standard for vulnerability advisories. This field typically expects a single version string or an array of version objects with separate ranges. This format may not be machine-parseable by security scanners and dependency tools that consume this advisory data.
| "fixed": "10.2.1 || 3.1.3 || 4.2.4 || 5.1.7 || 6.2.1 || 7.4.7 || 8.0.5 || 9.0.6" | |
| } | |
| ] | |
| "fixed": "3.1.3" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "4.0.0" | |
| }, | |
| { | |
| "fixed": "4.2.4" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "5.0.0" | |
| }, | |
| { | |
| "fixed": "5.1.7" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "6.0.0" | |
| }, | |
| { | |
| "fixed": "6.2.1" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "7.0.0" | |
| }, | |
| { | |
| "fixed": "7.4.7" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "8.0.0" | |
| }, | |
| { | |
| "fixed": "8.0.5" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "9.0.0" | |
| }, | |
| { | |
| "fixed": "9.0.6" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "10.0.0" | |
| }, | |
| { | |
| "fixed": "10.2.1" | |
| } | |
| ] |
|
dupe #7002 |
3 participants
Updates
Comments
Developer already implemented the fixes for legacy versions.