Skip to content

[deps]: Update minimatch to v10 [SECURITY] - abandoned#1009

Merged
sven-bitwarden merged 2 commits intomainfrom
renovate/npm-minimatch-vulnerability
Feb 23, 2026
Merged

[deps]: Update minimatch to v10 [SECURITY] - abandoned#1009
sven-bitwarden merged 2 commits intomainfrom
renovate/npm-minimatch-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 19, 2026

Tracking: https://bitwarden.atlassian.net/browse/PM-32492

This PR contains the following updates:

Package Change Age Confidence
minimatch 5.1.210.2.1 age confidence

GitHub Vulnerability Alerts

CVE-2026-26996

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Release Notes

isaacs/minimatch (minimatch)

v10.2.1

Compare Source

v10.2.0

Compare Source

v10.1.3

Compare Source

v10.1.2

Compare Source

v10.1.1

Compare Source

v10.1.0

Compare Source

v10.0.3

Compare Source

v10.0.2

Compare Source

v10.0.1

Compare Source

v10.0.0

Compare Source

v9.0.5

Compare Source

v9.0.4

Compare Source

v9.0.3

Compare Source

v9.0.2

Compare Source

v9.0.1

Compare Source

v9.0.0

Compare Source

v8.0.4

Compare Source

v8.0.3

Compare Source

v8.0.2

Compare Source

v8.0.1

Compare Source

v8.0.0

Compare Source

v7.4.6

Compare Source

v7.4.5

Compare Source

v7.4.4

Compare Source

v7.4.3

Compare Source

v7.4.2

Compare Source

v7.4.1

Compare Source

v7.4.0

Compare Source

v7.3.0

Compare Source

v7.2.0

Compare Source

v7.1.4

Compare Source

v7.1.3

Compare Source

v7.1.2

Compare Source

v7.1.1

Compare Source

v7.1.0

Compare Source

v7.0.1

Compare Source

v7.0.0

Compare Source

v6.2.0

Compare Source

v6.1.10

Compare Source

v6.1.9

Compare Source

v6.1.8

Compare Source

v6.1.7

Compare Source

v6.1.6

Compare Source

v6.1.5

Compare Source

v6.1.4

Compare Source

v6.1.3

Compare Source

v6.1.2

Compare Source

v6.1.1

Compare Source

v6.1.0

Compare Source

v6.0.4

Compare Source

v6.0.3

Compare Source

v6.0.2

Compare Source

v6.0.1

Compare Source

v6.0.0

Compare Source

v5.1.6

Compare Source

v5.1.5

Compare Source

v5.1.4

Compare Source

v5.1.3

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner February 19, 2026 16:44
@renovate renovate bot added the security label Feb 19, 2026
@renovate renovate bot requested a review from sven-bitwarden February 19, 2026 16:44
@renovate renovate bot added the security label Feb 19, 2026
@renovate renovate bot requested a review from a team February 19, 2026 16:44
@codecov
Copy link

codecov bot commented Feb 19, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 14.90%. Comparing base (9a2168c) to head (1303a48).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff            @@
##            main    #1009      +/-   ##
=========================================
+ Coverage   6.55%   14.90%   +8.34%     
=========================================
  Files         67       67              
  Lines       2791     2791              
  Branches     481      481              
=========================================
+ Hits         183      416     +233     
+ Misses      2576     2271     -305     
- Partials      32      104      +72     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate
Copy link
Contributor Author

renovate bot commented Feb 19, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@sonarqubecloud
Copy link

@github-actions
Copy link
Contributor

Logo
Checkmarx One – Scan Summary & Details251ed46e-b6de-4a78-8c48-4f693be17e61

Great job! No new security vulnerabilities introduced in this pull request

@renovate renovate bot changed the title [deps]: Update minimatch to v10 [SECURITY] [deps]: Update minimatch to v10 [SECURITY] - abandoned Feb 22, 2026
@renovate
Copy link
Contributor Author

renovate bot commented Feb 22, 2026

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

@withinfocus
Copy link
Contributor

I don't want to provide any formal review and the team should do that, but once this merges I can handle closure given the elimination of the dependency.

@sven-bitwarden sven-bitwarden merged commit af43015 into main Feb 23, 2026
31 checks passed
@sven-bitwarden sven-bitwarden deleted the renovate/npm-minimatch-vulnerability branch February 23, 2026 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants