[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern#7007
Conversation
|
Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
daniel-mudigital/advisory-improvement-7007
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory for minimatch ReDoS to more explicitly enumerate affected products/versions and patched versions.
Changes:
- Updated the advisory
modifiedtimestamp. - Added multiple
affectedentries for the npm packageminimatchwith differentfixedversions.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "3.1.3" | ||
| } | ||
| ] |
There was a problem hiding this comment.
These affected entries all start with introduced: \"0\" while only changing the fixed version. In OSV semantics, multiple affected records for the same package are effectively unioned; this makes the overall affected range extend up to the largest fixed version (e.g., 4.2.4, 5.1.7, etc.), which overstates impact if the vulnerability is already fixed in 3.1.3 for that line. Consider representing separate release lines with non-overlapping ranges (e.g., introduced: \"4.0.0\" -> fixed: \"4.2.4\", introduced: \"5.0.0\" -> fixed: \"5.1.7\", etc.) or combining into a single affected entry with multiple ranges/events that accurately reflect when each line became affected.
There was a problem hiding this comment.
Yeah, I gotta agree with the bot on this one. They should be "introduced": "4.0.0", "fixed": "4.2.4" etc.
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "4.2.4" | ||
| } | ||
| ] |
There was a problem hiding this comment.
These affected entries all start with introduced: \"0\" while only changing the fixed version. In OSV semantics, multiple affected records for the same package are effectively unioned; this makes the overall affected range extend up to the largest fixed version (e.g., 4.2.4, 5.1.7, etc.), which overstates impact if the vulnerability is already fixed in 3.1.3 for that line. Consider representing separate release lines with non-overlapping ranges (e.g., introduced: \"4.0.0\" -> fixed: \"4.2.4\", introduced: \"5.0.0\" -> fixed: \"5.1.7\", etc.) or combining into a single affected entry with multiple ranges/events that accurately reflect when each line became affected.
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "5.1.7" | ||
| } | ||
| ] |
There was a problem hiding this comment.
These affected entries all start with introduced: \"0\" while only changing the fixed version. In OSV semantics, multiple affected records for the same package are effectively unioned; this makes the overall affected range extend up to the largest fixed version (e.g., 4.2.4, 5.1.7, etc.), which overstates impact if the vulnerability is already fixed in 3.1.3 for that line. Consider representing separate release lines with non-overlapping ranges (e.g., introduced: \"4.0.0\" -> fixed: \"4.2.4\", introduced: \"5.0.0\" -> fixed: \"5.1.7\", etc.) or combining into a single affected entry with multiple ranges/events that accurately reflect when each line became affected.
| { | ||
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "minimatch" | ||
| }, |
There was a problem hiding this comment.
The affected array repeats identical package objects for minimatch many times, which is error-prone and hard to audit (and contributed to the overlapping-range issue above). If the schema allows, prefer a single affected entry for the package with multiple ranges (or multiple events sequences) to capture each fixed line, so the version logic is centralized and easier to review.
| { | ||
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "minimatch" | ||
| }, |
There was a problem hiding this comment.
The affected array repeats identical package objects for minimatch many times, which is error-prone and hard to audit (and contributed to the overlapping-range issue above). If the schema allows, prefer a single affected entry for the package with multiple ranges (or multiple events sequences) to capture each fixed line, so the version logic is centralized and easier to review.
| { | ||
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "minimatch" | ||
| }, |
There was a problem hiding this comment.
The affected array repeats identical package objects for minimatch many times, which is error-prone and hard to audit (and contributed to the overlapping-range issue above). If the schema allows, prefer a single affected entry for the package with multiple ranges (or multiple events sequences) to capture each fixed line, so the version logic is centralized and easier to review.
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" |
There was a problem hiding this comment.
| "introduced": "0" | |
| "introduced": "0.0.0" |
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" |
There was a problem hiding this comment.
| "introduced": "0" | |
| "introduced": "4.0.0" |
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" |
There was a problem hiding this comment.
| "introduced": "0" | |
| "introduced": "5.0.0" |
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" |
There was a problem hiding this comment.
| "introduced": "0" | |
| "introduced": "6.0.0" |
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" |
There was a problem hiding this comment.
| "introduced": "0" | |
| "introduced": "7.0.0" |
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" |
There was a problem hiding this comment.
| "introduced": "0" | |
| "introduced": "8.0.0" |
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" |
There was a problem hiding this comment.
| "introduced": "0" | |
| "introduced": "9.0.0" |
|
Note I've already opened #7002 which has the correct ranges |
|
Let's use #7002 |
5 participants
Updates
Comments
specific on affected versions and patched versions