Upgrade minimatch in @eslint/config-array

[tibindominicphilips]

Environment

Node version: 22.12.0
npm version: 10.9.0
Local ESLint version: 9.26.0
Global ESLint version: 9.26.0
Operating System: Windows 11 Enterprise

What parser are you using?

@typescript-eslint/parser

What did you do?

Dependency "minimatch": "^3.1.2" in latest version of eslint(9.29.0) is holding a high a vulnerability for brace-expansion package

CVE-2025-5889
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

<!-- Paste your configuration here -->

<!-- Paste your code here -->

What did you expect to happen?

An attacker could submit a crafted input to an affected application in order to trigger excessive resource consumption that could result in degraded performance.

What actually happened?

Vulnerability is thrown

Link to Minimal Reproducible Example

https://nvd.nist.gov/vuln/detail/CVE-2025-5889

Participation

• I am willing to submit a pull request for this issue.

Additional comments

No response

[nzakas]

Thanks for the report. Because ESLint is a CLI used directly on a user's system and the user is in complete control of the input, there's no attack vector here.

We can take a look at upgrading minimatch on @eslint/config-array, though we're several major versions behind so it will likely take a bunch of work to migrate.

[LR-EbramMekhail]

Will you also be updating the minimatch package in the following repos?
@eslint/eslintrc
eslint
@typescript-eslint/typescript-estree

[nzakas]

No. @eslint/eslintrc is frozen and we don't make changes to that package. eslint doesn't have a direct dependency on minimatch, it's only used transitively through @eslint/eslintrc, which will eventually be removed in v10. We don't maintain the typescript-eslint project, so you'd need to file an issue with them for the last one.