Skip to content

fix: pin patched minimatch versions via yarn resolutions (CVE-2026-27…#252

Merged
pjohnson-groq merged 1 commit intomainfrom
pjohnson/dep-upgrade-vanta
Mar 6, 2026
Merged

fix: pin patched minimatch versions via yarn resolutions (CVE-2026-27…#252
pjohnson-groq merged 1 commit intomainfrom
pjohnson/dep-upgrade-vanta

Conversation

@pjohnson-groq
Copy link
Contributor

@pjohnson-groq pjohnson-groq commented Mar 5, 2026

Fixes the minimatch ReDoS vulnerability (CVE-2026-27903) by adding Yarn v1 resolutions to pin patched versions across all transitive dependency paths. Suggested from Vanta and Dependabot.

This forces:

  • minimatch@3.1.3 (eslint/jest) from minimatch@3.1.2
  • minimatch@5.1.8 (publint/npm-packlist) from minimatch@5.1.6
  • minimatch@9.0.7 (@typescript-eslint) from minimatch@9.0.5

No runtime dependencies were changed. This is a temporary mitigation until upstream packages update their dependency ranges.

@pjohnson-groq pjohnson-groq self-assigned this Mar 5, 2026
@pjohnson-groq pjohnson-groq requested a review from gradenr as a code owner March 5, 2026 22:38
@pjohnson-groq pjohnson-groq merged commit fc17abe into main Mar 6, 2026
12 checks passed
@pjohnson-groq pjohnson-groq deleted the pjohnson/dep-upgrade-vanta branch March 6, 2026 00:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gradenr gradenr gradenr approved these changes

Assignees

@pjohnson-groq pjohnson-groq

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pjohnson-groq @gradenr