Skip to content

Commit 59369f8

Browse files
CopilotazuCopilot
authored
Upgrade glob to v11 to fix minimatch ReDoS vulnerability (#1936)
glob v10 depends on minimatch v9, which has a ReDoS vulnerability (CVE-2026-26996, GHSA-3ppc-4f35-3m26). Patterns with many consecutive asterisks followed by non-matching literals cause exponential backtracking. ## Changes - **Upgrade glob**: `^10.5.0` → `^11.1.0` in `packages/textlint/package.json` - Pulls in minimatch v10.2.1 (patched version) - **Remove @types/glob**: glob v11 ships with built-in TypeScript definitions <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>Vulnerable Dependency: glob (due to minimatch)</issue_title> > <issue_description>Howdy, thanks for supporting/maintaining textlint! > > glob v10 depends on a minimatch version that has a CVE: GHSA-3ppc-4f35-3m26 > > It looks like glob v11 uses a newer version of minimatch that is not affected, and still supports back to node 20 which would align with the current supported version specified in textlint.</issue_description> > > <agent_instructions>fix glob dependencies and check audit</agent_instructions> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> <!-- START COPILOT CODING AGENT SUFFIX --> - Fixes #1934 <!-- START COPILOT CODING AGENT TIPS --> --- 🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. [Learn more about Advanced Security.](https://gh.io/cca-advanced-security) --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: azu <[email protected]> Co-authored-by: azu <[email protected]> Co-authored-by: Copilot <[email protected]>
1 parent 9ea2b09 commit 59369f8

2 files changed

Lines changed: 10 additions & 59 deletions

File tree

packages/textlint/package.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
"@textlint/utils": "workspace:*",
6565
"debug": "^4.4.3",
6666
"file-entry-cache": "^10.1.4",
67-
"glob": "^10.5.0",
67+
"glob": "^11.1.0",
6868
"md5": "^2.3.0",
6969
"optionator": "^0.9.4",
7070
"path-to-glob-pattern": "^2.0.1",
@@ -77,7 +77,6 @@
7777
"@textlint/legacy-textlint-core": "workspace:*",
7878
"@types/clone": "^2.1.4",
7979
"@types/debug": "^4.1.12",
80-
"@types/glob": "^8.1.0",
8180
"@types/node": "^24.10.13",
8281
"@types/shelljs": "^0.10.0",
8382
"clone": "^2.1.2",

pnpm-lock.yaml

Lines changed: 9 additions & 57 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)