[GHSA-3ppc-4f35-3m26] minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern#7018
Conversation
|
Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed advisory for GHSA-3ppc-4f35-3m26 (minimatch ReDoS) to reflect additional affected product ranges after the fix was backported to multiple prior major versions.
Changes:
- Updated the advisory
modifiedtimestamp. - Added additional
affectedentries for minimatch to include backported fixed versions across multiple major lines.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "npm", | ||
| "name": "minimatch" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "9.0.6" | ||
| } | ||
| ] |
There was a problem hiding this comment.
All newly added affected entries use {"introduced": "0"} with different fixed versions. With semver ordering, the first range introduced: 0 → fixed: 10.2.1 still marks versions like 9.0.6, 8.0.5, etc. as affected (since they’re < 10.2.1), so the backported fix releases will be incorrectly reported as vulnerable. Model backports as disjoint ranges by setting introduced to the start of each maintained major line (eg 10.0.0→10.2.1, 9.0.0→9.0.6, …) and keep only the oldest range as 0→3.1.3 (or whichever earliest fixed version applies).
|
Replaced by: #7021 |
Updates
Comments
The developer has also backported the fix to previous major versions. See: GHSA-3ppc-4f35-3m26