[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

[timbru31]

Updates

• Affected products
• References

Comments
Adding version information for the backported fixes from v3 to v9 (isaacs/minimatch#275 (comment))

[github]

Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[timbru31]

There is no way of seeing the list of open improvements for an advisory and the UI does not take one straight to the PR overview. Let's keep #7002

[Copilot]

Pull request overview

Updates the GHSA advisory record for minimatch (GHSA-3ppc-4f35-3m26) to reflect additional backported fix versions and adds a supporting reference link.

Changes:

• Expanded the affected section with additional npm minimatch fixed versions (intended to capture backports across major lines).
• Added a reference to the upstream minimatch issue comment that documents the backported fixes.
• Bumped the advisory modified timestamp.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The newly added affected entries all use {"introduced": "0"} with different fixed versions. In OSV semantics these ranges are unioned, which will incorrectly mark versions that are actually fixed via backports (e.g., 9.0.6, 8.0.5, etc.) as still vulnerable because they are < 10.2.1. To represent backported fixes across major release lines, each entry should start at the relevant major (or branch) introduction point (e.g., introduced: 10.0.0 -> fixed: 10.2.1, introduced: 9.0.0 -> fixed: 9.0.6, …, and likely introduced: 0 -> fixed: 3.1.3 for v0–v3).