[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern#7012
Conversation
|
Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
There is no way of seeing the list of open improvements for an advisory and the UI does not take one straight to the PR overview. Let's keep #7002 |
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory record for minimatch (GHSA-3ppc-4f35-3m26) to reflect additional backported fix versions and adds a supporting reference link.
Changes:
- Expanded the
affectedsection with additional npmminimatchfixed versions (intended to capture backports across major lines). - Added a reference to the upstream minimatch issue comment that documents the backported fixes.
- Bumped the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "minimatch" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "9.0.6" | ||
| } | ||
| ] |
There was a problem hiding this comment.
The newly added affected entries all use {"introduced": "0"} with different fixed versions. In OSV semantics these ranges are unioned, which will incorrectly mark versions that are actually fixed via backports (e.g., 9.0.6, 8.0.5, etc.) as still vulnerable because they are < 10.2.1. To represent backported fixes across major release lines, each entry should start at the relevant major (or branch) introduction point (e.g., introduced: 10.0.0 -> fixed: 10.2.1, introduced: 9.0.0 -> fixed: 9.0.6, …, and likely introduced: 0 -> fixed: 3.1.3 for v0–v3).
Updates
Comments
Adding version information for the backported fixes from v3 to v9 (isaacs/minimatch#275 (comment))