fix(misc): bump minimatch to 10.2.1 to address CVE-2026-26996#34509
fix(misc): bump minimatch to 10.2.1 to address CVE-2026-26996#34509leosvelperez wants to merge 4 commits intomasterfrom
Conversation
leosvelperez
requested review from
a team,
FrozenPandaz and
vsavkin
as code owners
✅ Deploy Preview for nx-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for nx-dev ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
View your CI Pipeline Execution ↗ for commit 6acfe1e
☁️ Nx Cloud last updated this comment at |
![nx-cloud[bot]](https://avatars.githubusercontent.com/in/80458?s=60&v=4){kind=small}
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud has identified a possible root cause for your failed CI:
Our maven-batch-runner:package failure is not related to the minimatch catalog update. This same JAR corruption error exists in the master branch and appears to be a pre-existing build infrastructure issue where Maven artifacts become corrupted during the build process.
No code changes were suggested for this issue.
Trigger a rerun:
🎓 Learn more about Self-Healing CI on nx.dev
Bump ts-morph to ^27.0.2 so publishable artifacts consume @ts-morph/common@0.28.1 and minimatch@10.2.1 transitively.
leosvelperez
changed the title
|
i think this PR might also fix #32440? the |
3 participants
Current Behavior
Several Nx packages directly depend on a minimatch version with a high-severity vulnerability (GHSA-3ppc-4f35-3m26).
Expected Behavior
Several Nx packages should depend directly on a minimatch version that does not include the reported high-severity vulnerability.
Note: unsafe
minimatchversions can still be pulled in transitively. Upstream deps need to be updated, and then we need to update the Nx packages to newer versions.Related Issue(s)
Fixes #34507