fix: newer version of minimatch to resolve security issue#19
fix: newer version of minimatch to resolve security issue#19technolojin merged 1 commit intoautowarefoundation:mainfrom
Conversation
- Upgraded `balanced-match`, `brace-expansion`, and `minimatch` packages to their latest versions for improved functionality and security. - Added an `overrides` section in `package.json` to enforce a specific version of `minimatch`. - Removed deprecated `concat-map` dependency from `package-lock.json` to streamline the dependency tree. Signed-off-by: Taekjin LEE <taekjin.lee@tier4.jp>
There was a problem hiding this comment.
Pull request overview
This PR addresses a security vulnerability by upgrading the minimatch package and its dependencies. The changes include updating balanced-match (1.0.2 → 4.0.3), brace-expansion (1.1.12 → 5.0.2), and minimatch (3.1.2 → 10.2.2) to their latest versions. An overrides section is added to package.json to enforce the specific minimatch version across all transitive dependencies, and the deprecated concat-map dependency is removed from the dependency tree.
Changes:
- Added overrides section to package.json to enforce minimatch ^10.2.1 across all dependencies
- Upgraded minimatch from 3.1.2 to 10.2.2, along with its dependencies balanced-match and brace-expansion
- Removed nested minimatch dependencies from vscode-languageclient, now using the overridden version
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tools/vscode-autoware-system-designer/package.json | Added overrides section to enforce minimatch ^10.2.1 globally |
| tools/vscode-autoware-system-designer/package-lock.json | Updated minimatch and dependencies to latest versions, removed nested overrides and deprecated concat-map |
Files not reviewed (1)
- tools/vscode-autoware-system-designer/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "version": "4.0.3", | ||
| "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.3.tgz", | ||
| "integrity": "sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==", | ||
| "license": "MIT", | ||
| "engines": { | ||
| "node": "20 || >=22" | ||
| } |
There was a problem hiding this comment.
The upgraded packages introduce strict Node.js version requirements (Node 18, 20, or >=22) through their engine specifications. However, the project currently uses @types/node": "16.x" in devDependencies. This creates a version mismatch that could lead to compatibility issues during development and CI/CD. Consider either:
- Upgrading
@types/nodeto match the new minimum Node.js version requirement (18+), or - Using an older version of these packages that supports Node 16 if the project must remain on Node 16
| "overrides": { | ||
| "minimatch": "^10.2.1" | ||
| }, |
There was a problem hiding this comment.
The vscode-languageclient package specifies minimatch ^5.1.0 as a dependency (line 1723), but the overrides in package.json force it to use minimatch ^10.2.1. This is a major version jump (5.x → 10.x) which may contain breaking API changes. While the security fix is important, this could potentially break vscode-languageclient functionality if it depends on minimatch 5.x-specific behavior. Consider testing the extension thoroughly to ensure vscode-languageclient works correctly with minimatch 10.x, or check if vscode-languageclient has been updated to support minimatch 10.x.
| "overrides": { | |
| "minimatch": "^10.2.1" | |
| }, |
Security Issue https://github.com/autowarefoundation/autoware_system_designer/security/dependabot/3
balanced-match,brace-expansion, andminimatchpackages to their latest versions for improved functionality and security.overridessection inpackage.jsonto enforce a specific version ofminimatch.concat-mapdependency frompackage-lock.jsonto streamline the dependency tree.