chore(deps): resolve minimatch ReDoS vulnerability in prod dependencies#13363
chore(deps): resolve minimatch ReDoS vulnerability in prod dependencies#13363
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Summary
package-lock.jsonbrace-expansionfrom 2.0.2 to 5.0.2 and addbalanced-match4.0.3 (required by the new minimatch/brace-expansion versions)[email protected]->minimatch(used by the Python plugin viaglobSync())archiver->readdir-glob->minimatch(used by the esbuild plugin viaarchive.directory())Context
minimatch < 10.2.1 is vulnerable to ReDoS via repeated wildcards with non-matching literals. The fix version (10.2.1) declares
engines: { node: "20 || >=22" }, but this is a policy decision -- the code is technically compatible with Node.js 18. The upgrade is applied surgically inpackage-lock.jsonto avoid bumping parent packages that would require breaking major version changes.Remaining [email protected] instances are dev-only (jest via test-exclude, tape via dotignore) and do not affect production builds.
Test plan
npm audit --omit=devreports no minimatch vulnerabilitiesnpm run lintpassesnpm run prettierpassesnpm run testpasses (1062 unit tests)*.{json,txt}): production vs source output identical (207 files, zero diff)**/*.py[c|o],**/__pycache__*,**/*.dist-info*): production vs source output identical (90 files, zero diff)