[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

[robinbisping]

Updates

• Affected products

Comments
The developer has also backported the fix to previous major versions. See: GHSA-3ppc-4f35-3m26

[github]

Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

Updates the GitHub-reviewed advisory for GHSA-3ppc-4f35-3m26 (minimatch ReDoS) to reflect additional affected product ranges after the fix was backported to multiple prior major versions.

Changes:

• Updated the advisory modified timestamp.
• Added additional affected entries for minimatch to include backported fixed versions across multiple major lines.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

All newly added affected entries use {"introduced": "0"} with different fixed versions. With semver ordering, the first range introduced: 0 → fixed: 10.2.1 still marks versions like 9.0.6, 8.0.5, etc. as affected (since they’re < 10.2.1), so the backported fix releases will be incorrectly reported as vulnerable. Model backports as disjoint ranges by setting introduced to the start of each maintained major line (eg 10.0.0→10.2.1, 9.0.0→9.0.6, …) and keep only the oldest range as 0→3.1.3 (or whichever earliest fixed version applies).

[robinbisping]

Replaced by: #7021