Skip to content

fix: update minimatch to 3.1.5 to resolve security vulnerabilities#228

Merged
AndyBitz merged 2 commits intovercel:masterfrom
ParakhJaggi:fix/update-minimatch-security
Mar 3, 2026
Merged

fix: update minimatch to 3.1.5 to resolve security vulnerabilities#228
AndyBitz merged 2 commits intovercel:masterfrom
ParakhJaggi:fix/update-minimatch-security

Conversation

@ParakhJaggi
Copy link
Contributor

@ParakhJaggi ParakhJaggi commented Mar 2, 2026

Summary

Bumps minimatch from 3.1.2 to 3.1.5 — the latest patch release in the 3.x line. This is a non-breaking, patch-level update that resolves three high-severity ReDoS vulnerabilities:

  • GHSA-3ppc-4f35-3m26 — ReDoS via repeated wildcards with non-matching literal in pattern
  • GHSA-7r86-cg39-jmmj — ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
  • GHSA-23c5-xmqv-rm74 — ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

This causes downstream Dependabot alerts for all consumers of serve-handler (including serve).

Fixes #206

@ParakhJaggi
fix: update minimatch to 3.1.5 to resolve security vulnerabilities
fcbfea8 
Bumps minimatch from 3.1.2 to 3.1.5, the latest patch in the 3.x line.
This resolves the following CVEs:
- GHSA-3ppc-4f35-3m26 (ReDoS via repeated wildcards, high severity)
- GHSA-7r86-cg39-jmmj (ReDoS via multiple non-adjacent GLOBSTAR segments, high severity)
- GHSA-23c5-xmqv-rm74 (ReDoS via nested *() extglobs, high severity)

Fixes vercel#206
@MikeMcC399
Copy link

MikeMcC399 commented Mar 2, 2026

This would be an alternative to #226

@MikeMcC399 MikeMcC399 mentioned this pull request Mar 2, 2026
Merged
@ParakhJaggi
Copy link
Contributor Author

ParakhJaggi commented Mar 2, 2026
edited
Loading

This would be an alternative to #226

This is a better alternative imo, v10.2.4 is an aggressive update. 3.1.5 is within the 3.x family and contains the remediation.

@MikeMcC399
Copy link

MikeMcC399 commented Mar 2, 2026

@ParakhJaggi

This would be an alternative to #226

This is a better alternative imo, v10.2.4 is an aggressive update. 3.1.5 is within the 3.x family and contains the remediation.

Note the comment in actions/toolkit#2306 from the package owner, where he talks about updating to v10 to move to a supported version.

The repo maintainers will need to decide which way to go. Your PR would solve the immediate problem.

@socket-security
Copy link

socket-security bot commented Mar 2, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedminimatch@​3.1.510010010096100

View full report

@mokhld mokhld mentioned this pull request Mar 3, 2026
Merged
12 tasks
AndyBitz
AndyBitz approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@AndyBitz AndyBitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for opening the PR and reaching out to me!

I'll merge and publish this one instead of the upgrade to 10.x to get it out faster, as the upgrade to 10.x would warrant a major release and it's better to keep this security fix smaller.

We can revisit the upgrade to 10.x afterwards.

@AndyBitz AndyBitz merged commit af11c99 into vercel:master Mar 3, 2026
1 of 2 checks passed
@MikeMcC399
Copy link

MikeMcC399 commented Mar 3, 2026

@AndyBitz

This has merged into the master branch not the (default) main branch.

@AndyBitz
Copy link
Contributor

AndyBitz commented Mar 3, 2026

@MikeMcC399 indeed, didn't notice. Will get this sorted, thanks!

AndyBitz pushed a commit that referenced this pull request Mar 3, 2026
@ParakhJaggi @AndyBitz
fix: update minimatch to 3.1.5 to resolve security vulnerabilities (#228
754d1dc 
)

* fix: update minimatch to 3.1.5 to resolve security vulnerabilities

Bumps minimatch from 3.1.2 to 3.1.5, the latest patch in the 3.x line.
This resolves the following CVEs:
- GHSA-3ppc-4f35-3m26 (ReDoS via repeated wildcards, high severity)
- GHSA-7r86-cg39-jmmj (ReDoS via multiple non-adjacent GLOBSTAR segments, high severity)
- GHSA-23c5-xmqv-rm74 (ReDoS via nested *() extglobs, high severity)

Fixes #206

* chore: update yarn.lock for minimatch 3.1.5
@AndyBitz AndyBitz mentioned this pull request Mar 3, 2026
Merged
@AndyBitz
Copy link
Contributor

AndyBitz commented Mar 3, 2026

Published the serve-handler update in 6.1.7, will now take care of serve itself.
Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndyBitz AndyBitz AndyBitz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ParakhJaggi @MikeMcC399 @AndyBitz