[deps]: Update minimatch to v10 [SECURITY] - abandoned#1009

Merged

sven-bitwarden merged 2 commits intomainfrom

renovate/npm-minimatch-vulnerability

Feb 23, 2026

Contributor

renovate bot commented Feb 19, 2026 •

edited by sven-bitwarden

Loading

Tracking: https://bitwarden.atlassian.net/browse/PM-32492

This PR contains the following updates:

Package	Change	Age	Confidence
minimatch	`5.1.2` → `10.2.1`

GitHub Vulnerability Alerts

CVE-2026-26996

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

File search/filter UIs that accept glob patterns
.gitignore-style filtering with user-defined rules
Build tools that accept glob configuration
Any API that exposes glob matching to untrusted input

Release Notes

isaacs/minimatch (minimatch)

`v10.2.1`

`v10.2.0`

`v10.1.3`

`v10.1.2`

`v10.1.1`

`v10.1.0`

`v10.0.3`

`v10.0.2`

`v10.0.1`

`v10.0.0`

`v9.0.5`

`v9.0.4`

`v9.0.3`

`v9.0.2`

`v9.0.1`

`v9.0.0`

`v8.0.4`

`v8.0.3`

`v8.0.2`

`v8.0.1`

`v8.0.0`

`v7.4.6`

`v7.4.5`

`v7.4.4`

`v7.4.3`

`v7.4.2`

`v7.4.1`

`v7.4.0`

`v7.3.0`

`v7.2.0`

`v7.1.4`

`v7.1.3`

`v7.1.2`

`v7.1.1`

`v7.1.0`

`v7.0.1`

`v7.0.0`

`v6.2.0`

`v6.1.10`

`v6.1.9`

`v6.1.8`

`v6.1.7`

`v6.1.6`

`v6.1.5`

`v6.1.4`

`v6.1.3`

`v6.1.2`

`v6.1.1`

`v6.1.0`

`v6.0.4`

`v6.0.3`

`v6.0.2`

`v6.0.1`

`v6.0.0`

`v5.1.6`

`v5.1.5`

`v5.1.4`

`v5.1.3`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          [deps]: Update minimatch to v10 [SECURITY]

80ce75a

renovate bot requested a review from a team as a code owner

February 19, 2026 16:44

renovate bot added the security label

renovate bot requested a review from sven-bitwarden

February 19, 2026 16:44

renovate bot added the security label

renovate bot requested a review from a team

February 19, 2026 16:44

codecov bot commented Feb 19, 2026 •

edited

Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 14.90%. Comparing base (9a2168c) to head (1303a48).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff            @@
##            main    #1009      +/-   ##
=========================================
+ Coverage   6.55%   14.90%   +8.34%     
=========================================
  Files         67       67              
  Lines       2791     2791              
  Branches     481      481              
=========================================
+ Hits         183      416     +233     
+ Misses      2576     2271     -305     
- Partials      32      104      +72

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.


          Remove erroneous failing dependencies

1303a48

Contributor Author

renovate bot commented Feb 19, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

sonarqubecloud bot commented Feb 19, 2026

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Contributor

github-actions bot commented Feb 19, 2026

Checkmarx One – Scan Summary & Details – 251ed46e-b6de-4a78-8c48-4f693be17e61

Great job! No new security vulnerabilities introduced in this pull request

sven-bitwarden approved these changes

View reviewed changes

renovate bot changed the title ~~[deps]: Update minimatch to v10 [SECURITY]~~ [deps]: Update minimatch to v10 [SECURITY] - abandoned

Contributor Author

renovate bot commented Feb 22, 2026

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

sven-bitwarden requested review from BTreston and withinfocus

February 23, 2026 07:33

Contributor

withinfocus commented Feb 23, 2026

I don't want to provide any formal review and the team should do that, but once this merges I can handle closure given the elimination of the dependency.

BTreston approved these changes

View reviewed changes

sven-bitwarden merged commit af43015 into main

31 checks passed

sven-bitwarden deleted the renovate/npm-minimatch-vulnerability branch

February 23, 2026 19:10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels