Situation
npm audit reports a high severity vulnerability CVE-2026-26996 (GHSA-3ppc-4f35-3m26) in [email protected] using @actions/[email protected]
[email protected] is a legacy version, released on Feb 15, 2022
The latest version is [email protected]
Steps to reproduce
cd $(mktemp -d)
npm install @actions/cache @actions/glob
npm audit
Logs
$ npm audit
# npm audit report
minimatch <10.2.1
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
No fix available
node_modules/minimatch
@actions/glob *
Depends on vulnerable versions of minimatch
node_modules/@actions/glob
@actions/cache *
Depends on vulnerable versions of @actions/glob
node_modules/@actions/cache
3 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Suggestion
Update to [email protected] or above
Situation
npm auditreports a high severity vulnerability CVE-2026-26996 (GHSA-3ppc-4f35-3m26) in [email protected] using @actions/[email protected][email protected] is a legacy version, released on Feb 15, 2022
The latest version is [email protected]
Steps to reproduce
Logs
Suggestion
Update to [email protected] or above