Skip to content

Fix: Resolve minimatch ReDoS vulnerability (CVE-2026-26996)#60

Open
sandinak wants to merge 1 commit into
featherbear:masterfrom
sandinak:fix/minimatch-security-vulnerability
Open

Fix: Resolve minimatch ReDoS vulnerability (CVE-2026-26996)#60
sandinak wants to merge 1 commit into
featherbear:masterfrom
sandinak:fix/minimatch-security-vulnerability

Conversation

@sandinak

@sandinak sandinak commented Feb 19, 2026

Copy link
Copy Markdown

Summary

This PR fixes 6 high severity vulnerabilities related to a ReDoS (Regular Expression Denial of Service) vulnerability in the minimatch package.

Vulnerability Details

Changes Made

Added an overrides section to package.json to force all transitive dependencies to use minimatch version ^10.2.1, which contains the security fix.

"overrides": {
  "minimatch": "^10.2.1"
}

Verification

After applying this fix:

  • npm audit reports 0 vulnerabilities (previously 6 high severity)
  • ✅ All builds pass successfully
  • ✅ No breaking changes to the API

Testing

npm install
npm audit  # Should report 0 vulnerabilities
npm run build  # Should complete successfully

References

Pull Request opened by Augment Code with guidance from the PR author

@sandinak
fix: resolve minimatch ReDoS vulnerability (CVE-2026-26996)
a3f2d5a 
Add npm overrides to force minimatch >= 10.2.1 to address high severity
ReDoS vulnerability (GHSA-3ppc-4f35-3m26) in transitive dependencies.

This fixes 6 high severity vulnerabilities reported by npm audit.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sandinak