Skip to content

Comments

[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern#7002

Open
G-Rath wants to merge 1 commit intoG-Rath/advisory-improvement-7002from
G-Rath-GHSA-3ppc-4f35-3m26
Open

[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern#7002
G-Rath wants to merge 1 commit intoG-Rath/advisory-improvement-7002from
G-Rath-GHSA-3ppc-4f35-3m26

Conversation

@G-Rath
Copy link

@G-Rath G-Rath commented Feb 22, 2026

Updates

  • Affected products
  • References

Comments
Updated to match GHSA-3ppc-4f35-3m26

@github
Copy link
Collaborator

github commented Feb 22, 2026

Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings February 22, 2026 18:16
@github-actions github-actions bot changed the base branch from main to G-Rath/advisory-improvement-7002 February 22, 2026 18:17
Copilot AI reviewed Feb 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the GitHub-reviewed advisory record for GHSA-3ppc-4f35-3m26 to match the upstream minimatch advisory by refining affected version ranges and adding an additional reference.

Changes:

  • Refined affected version range start for v10 and added explicit affected ranges for v3–v9.
  • Added a new web reference link to the related upstream issue.
  • Bumped the advisory modified timestamp.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json
Comment on lines +36 to +61
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.6"
}
]
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple affected entries repeat the same { ecosystem: "npm", name: "minimatch" } package block, which increases duplication and makes future edits error-prone. Consider consolidating these into a single affected item for minimatch with multiple ranges entries so all version windows live under one package record.

Copilot uses AI. Check for mistakes.
@ljharb ljharb mentioned this pull request Feb 22, 2026
Closed
@asrar-mared
Copy link

asrar-mared commented Feb 22, 2026

All validations completed successfully.

  • ✔ Advisory structure verified
  • ✔ Schema compliance confirmed
  • ✔ Workflow checks passed
  • ✔ No merge conflicts
  • ✔ Security impact reviewed

This PR is ready for immediate merge.
Happy to assist with any follow‑up improvements.

@chadlwilson chadlwilson mentioned this pull request Feb 23, 2026
Closed
@G-Rath G-Rath mentioned this pull request Feb 23, 2026
Closed
This was referenced Feb 23, 2026
Closed
Open
Closed
@isaacs isaacs mentioned this pull request Feb 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@G-Rath @github @asrar-mared