Skip to content

fix(deps): resolve minimatch ReDoS vulnerability (CVE-2026-26996)#466

Merged
CybotTM merged 6 commits intomainfrom
fix/CVE-2026-26996-minimatch-redos
Feb 22, 2026
Merged

fix(deps): resolve minimatch ReDoS vulnerability (CVE-2026-26996)#466
CybotTM merged 6 commits intomainfrom
fix/CVE-2026-26996-minimatch-redos

Conversation

@CybotTM
Copy link
Member

@CybotTM CybotTM commented Feb 22, 2026

Summary

  • Remove redundant direct dependencies @typescript-eslint/eslint-plugin and @typescript-eslint/parser (already provided transitively via typescript-eslint unified package, which is the only one imported in eslint.config.js)
  • Add pnpm override to force minimatch>=10.2.1, eliminating the vulnerable 9.0.5 resolution from @typescript-eslint/typescript-estree
  • Override can be removed once typescript-eslint ships 8.56.1+ (canary already bumps to minimatch@^10.2.2)

Resolves https://github.com/netresearch/ldap-selfservice-password-changer/security/dependabot/23

Verification

  • pnpm why minimatch shows only 10.2.2 (no 9.0.5)
  • pnpm lint passes
  • pnpm js:build (tsc) passes

Test plan

@CybotTM
fix(deps): resolve minimatch ReDoS vulnerability (CVE-2026-26996)
db70f24 
Remove redundant direct dependencies @typescript-eslint/eslint-plugin
and @typescript-eslint/parser (already provided transitively via
typescript-eslint unified package).

Add pnpm override to force minimatch>=10.2.1, eliminating the
vulnerable 9.0.5 resolution from @typescript-eslint/typescript-estree.
Override can be removed once typescript-eslint ships 8.56.1+ which
bumps to minimatch@^10.2.2 natively.

Resolves: https://github.com/netresearch/ldap-selfservice-password-changer/security/dependabot/23
Copilot AI review requested due to automatic review settings February 22, 2026 08:48
@gemini-code-assist
Copy link

gemini-code-assist bot commented Feb 22, 2026

Summary of Changes

Hello @CybotTM, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the project's security posture and streamlining its dependency management. It addresses a critical ReDoS vulnerability by enforcing a minimum version for a key dependency and cleans up the project's devDependencies by removing packages that are already managed transitively. The changes ensure a more secure and efficient build environment without altering core functionality.

Highlights

  • Security Vulnerability Resolution: Resolved a ReDoS vulnerability (CVE-2026-26996) in the minimatch package by forcing an upgrade to version 10.2.1 or higher using pnpm overrides.
  • Dependency Cleanup: Removed redundant direct development dependencies @typescript-eslint/eslint-plugin and @typescript-eslint/parser from package.json, as they are already provided transitively by typescript-eslint.
  • Dependency Management: Implemented a pnpm override to ensure minimatch is resolved to a secure version, specifically minimatch>=10.2.1, addressing the vulnerability introduced by 9.0.5.
Changelog
  • package.json
    • Removed direct devDependencies for @typescript-eslint/eslint-plugin and @typescript-eslint/parser.
    • Added a pnpm.overrides entry to force minimatch to version >=10.2.1.
  • pnpm-lock.yaml
    • Added a global overrides section to enforce minimatch@<10.2.1 to >=10.2.1.
    • Removed entries for @typescript-eslint/eslint-plugin and @typescript-eslint/parser from the root importer's dependencies.
    • Removed balanced-match@1.0.2, brace-expansion@2.0.2, and minimatch@9.0.5 package definitions.
    • Updated the minimatch version within the @typescript-eslint/typescript-estree snapshot from 9.0.5 to 10.2.2.
    • Removed snapshot entries for balanced-match@1.0.2 and brace-expansion@2.0.2.
Activity
  • The author has outlined a clear summary of the changes and the motivation behind them.
  • Verification steps have been provided, including checking pnpm why minimatch, pnpm lint, and pnpm js:build.
  • A test plan has been detailed, focusing on CI pass and the auto-closure of a Dependabot alert.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 22, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly addresses the minimatch ReDoS vulnerability by using pnpm overrides to force a non-vulnerable version. The removal of redundant @typescript-eslint packages is also a good cleanup. I have one suggestion to improve the determinism of the build by pinning the overridden dependency to a specific version instead of using a version range.

@codecov
Copy link

codecov bot commented Feb 22, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.41%. Comparing base (37e2bf7) to head (ff46fbd).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #466   +/-   ##
=======================================
  Coverage   92.41%   92.41%           
=======================================
  Files          15       15           
  Lines         725      725           
=======================================
  Hits          670      670           
  Misses         46       46           
  Partials        9        9
Flag Coverage Δ
backend 92.41% <100.00%> (ø)
integration 92.41% <100.00%> (ø)
unittests 90.06% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/rpchandler/change_password.go 100.00% <ø> (ø)
internal/rpchandler/handler.go 91.78% <100.00%> (ø)
internal/rpchandler/ip_extraction.go 93.75% <ø> (ø)
internal/rpchandler/password_validation.go 100.00% <ø> (ø)
internal/rpchandler/request_password_reset.go 93.47% <ø> (ø)
internal/rpchandler/reset_password.go 92.85% <ø> (ø)

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0bb6ddb...ff46fbd. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI reviewed Feb 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a reported ReDoS vulnerability in minimatch by forcing a safe version resolution via pnpm overrides, while also cleaning up redundant TypeScript ESLint direct dependencies already covered by the unified typescript-eslint package.

Changes:

  • Remove redundant direct devDependencies: @typescript-eslint/eslint-plugin and @typescript-eslint/parser.
  • Add a pnpm override to prevent resolving vulnerable minimatch versions and ensure >=10.2.1.
  • Update pnpm-lock.yaml to reflect the override (resolving minimatch to 10.2.2) and remove now-unused transitive packages.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Removes redundant TS-ESLint direct deps and adds a pnpm overrides rule for minimatch.
pnpm-lock.yaml Records the new override and updates dependency snapshots to use minimatch@10.2.2.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@CybotTM
fix(deps): pin minimatch override to ^10.2.1
bdf1a6b 
Tighten the pnpm override from >=10.2.1 to ^10.2.1 to prevent
accidental major version jumps when minimatch 11+ is released.
@CybotTM
refactor: rename internal/rpc to internal/rpchandler
dd2d980 
Rename package to avoid conflict with Go stdlib net/rpc (revive
var-naming). Also rename JSONRPCResponse/JSONRPC types to
Response/Request to avoid stuttering (rpchandler.JSONRPCResponse).

Fixes golangci-lint failures:
- revive var-naming: package name conflict with stdlib
- revive exported: type name stuttering
- gci: import ordering (auto-formatted)
@CybotTM
fix(ci): update internal/rpc references to internal/rpchandler
494f4a8 
Update workflow, Makefile, config, and documentation references
to match the package rename from the previous commit.
@CybotTM
fix(lint): suppress gosec G704 false positive on health check
5928e0d 
The healthCheckEndpoint URL is a compile-time constant, not
user-controlled input. Suppress nolintlint as well since the
gosec version varies between local and CI environments.
@CybotTM
feat(ci): add solo-maintainer auto-approve workflow
ff46fbd 
Add pr-quality.yml that auto-approves PRs from repo collaborators
(write/admin permission), satisfying the required review count
without manual intervention.

Also fix auto-merge-deps.yml:
- Use github.event.pull_request.user.login instead of github.actor
  (stable across reruns)
- Auto-detect merge strategy from repo settings instead of
  hardcoding --rebase

Branch protection updated:
- dismiss_stale_reviews: true
- require_code_owner_reviews: false (was blocking auto-approve)
@CybotTM CybotTM merged commit ab64d53 into main Feb 22, 2026
16 checks passed
@CybotTM CybotTM deleted the fix/CVE-2026-26996-minimatch-redos branch February 22, 2026 11:24
@CybotTM CybotTM mentioned this pull request Feb 22, 2026
Merged
2 tasks
@github-actions github-actions bot added the released:v1.2.0 Released in v1.2.0 label Feb 22, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 22, 2026

Released in v1.2.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

released:v1.2.0 Released in v1.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CybotTM