Fix minimatch ReDoS (CVE-2026-27903, CVE-2026-27904) via scoped overrides#546
Open
imenkov wants to merge 1 commit into
Open
Fix minimatch ReDoS (CVE-2026-27903, CVE-2026-27904) via scoped overrides#546imenkov wants to merge 1 commit into
imenkov wants to merge 1 commit into
Conversation
…ides Pins every transitively-installed minimatch copy to the latest patch in its major line via nested per-parent overrides: v3.1.2 -> v3.1.5 (rimraf>glob chain) v5.1.6 -> v5.1.9 (mocha, mocha>glob, archiver>readdir-glob chains) v9.0.5 -> v9.0.9 (archiver-utils>glob chain) v10.1.1 -> v10.2.5 (root glob chain) Uses ancestor-scoped overrides rather than a top-level `minimatch` pin to keep mocha (v5 line) and rimraf (v3 line) on API-compatible majors and avoid bricking the test runner. Preserves the existing archiver-utils.glob override. S360-Run-Id: 495d2f2c-025e-4d09-ad47-bf5a23bad72f S360-KPI: SFI-ES5.2 S360-Skill: dependabot:dependency-update-orchestrator S360-Arm: dedicated_skill S360-Action-Items: 928b7015-db58-41a3-94ea-ab73c7bb9f4d:17027a63-3844-47e7-858a-baccf93ba52e
imenkov
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates two high-severity ReDoS CVEs in transitive
minimatchcopies:Approach: scoped per-parent overrides (not a top-level pin)
minimatchis not a direct dependency of this repo — it ships transitively viaglob,mocha,rimraf,archiver-utils, andreaddir-glob. Each of those uses a different major line.A blanket top-level
"minimatch": "^X"override would force all consumers onto the same major, which (a) would have bumpedmocha's internal globber across a major boundary, and (b) is the partial fix already inmasterfrom PR #544 — but #544 only covers the rootglobchain, not the other four.This PR replaces the top-level pin with ancestor-scoped overrides covering all five resolutions:
rimraf > globmocha,mocha > glob,archiver > readdir-globarchiver-utils > globglobExisting
archiver-utils.glob ^10.5.0override is preserved.Files changed
package.json—overridesblock restructured (no other changes)package-lock.json— re-resolvedValidation
npm cisucceedsnpm run build(tsc + postbuild) succeeds —_build/tfx-cli.jsruns and emits CLI helpTFX_TRACE=1produces the expected tracer output (12 lines)npm test— 206 passing / 0 failing / 0 pending in ~37snpm auditconfirms the two CVEs gone post-fixVerified against
docs/contributions.mdend-to-end.Relation to PR #544
This is a strict superset of PR #544's partial minimatch fix. It removes the single top-level
"minimatch": "^10.2.3"pin from #544 and replaces it with five ancestor-scoped pins covering every vulnerable resolution — not just the root-glob chain.🛠️ s360-breeze-toolkit · SFI-ES5.2 · run
495d2f2c