Skip to content

dependency: remediate minimatch, serialize-javascript, and vite vulnerabilities#33461

Open
MuazOthman wants to merge 5 commits intodevelopfrom
muaz/vuln-20260310
Open

dependency: remediate minimatch, serialize-javascript, and vite vulnerabilities#33461
MuazOthman wants to merge 5 commits intodevelopfrom
muaz/vuln-20260310

Conversation

@MuazOthman
Copy link
Contributor

@MuazOthman MuazOthman commented Mar 11, 2026
edited by cursor bot
Loading

  • Closes:

Additional details

What changed

  • Bump minimatch from 3.1.2 to 3.1.3 in data-context, driver, and network packages
  • Add yarn resolutions to pin minimatch across transitive dependencies (lerna, nx, editorconfig, graphql-config, mocha, serve-handler)
  • Pin mocha-7.2.0 minimatch resolution to 3.1.3 (compatible with mocha's ^3.0.4 range)
  • Add serialize-javascript 7.0.3 resolution
  • Remove obsolete socket.io-parser 4.0.5 resolution (was itself vulnerable to CVE-2023-32695)
  • Bump vite from 3.2.11 to 4.5.12 in outdated-deps test projects and update corresponding e2e test assertions
  • Bump Angular 21 test project dependencies from ^21.0.0 to ^21.2.0

CVEs Addressed

minimatch (3.1.2 → 3.1.3, resolutions for 9.0.7)
CVE Severity Description
CVE-2026-26996 High ReDoS via repeated wildcards — each * compiles to a separate [^/]*? regex group causing O(4^N) backtracking
CVE-2026-27903 High ReDoS via multiple non-adjacent ** (GLOBSTAR) segments causing O(C(n,k)) combinatorial backtracking in matchOne()
CVE-2026-27904 High ReDoS via nested extglob patterns — nested *() extglobs produce regexps with nested unbounded quantifiers
serialize-javascript (→ 7.0.3)
CVE Severity Description
GHSA-5c6j-r48x-rmvq Critical (9.8) RCE via unsanitized RegExp.flags — incomplete fix for CVE-2020-7660 allows code injection when serialized output is evaluated
vite (3.2.11 → 4.5.12 in test projects)
CVE Severity Description
CVE-2024-23331 High server.fs.deny bypass on case-insensitive file systems exposing .env and sensitive files
CVE-2024-31207 Medium server.fs.deny bypass — directory glob patterns only match basename due to picomatch bug
CVE-2024-45811 Medium server.fs.deny bypass using ?import&raw query parameter
CVE-2024-45812 Medium DOM Clobbering gadget leading to XSS in cjs/iife/umd output formats
CVE-2025-30208 High Arbitrary file read via ?raw?? bypassing server.fs.deny and @fs path traversal
CVE-2025-31125 High server.fs.deny bypass via ?inline&import or ?raw?import
CVE-2025-31486 High server.fs.deny bypass via .svg with .wasm?init and relative path traversal
socket.io-parser (removed 4.0.5 pin)
CVE Severity Description
CVE-2023-32695 High (7.5) DoS via specially crafted packet causing uncaught exception — version 4.0.5 was within the affected range

Steps to test

  1. Run yarn install — verify it succeeds with no resolution conflicts
  2. Run config-warning.cy.ts e2e tests — verify they pass with updated vite version assertions
  3. Verify Angular 21 system test project builds successfully

How has the user experience changed?

No user-facing changes. These are internal dependency upgrades to remediate known vulnerabilities, plus test fixture updates to match the new dependency versions.

PR Tasks

Note

Medium Risk
Mostly dependency pinning, but changes to Yarn resolutions can have repo-wide install/build impact and may surface incompatibilities in tooling or transitive consumers.

Overview
Primarily security-driven dependency remediation: bumps minimatch to 3.1.3 in several packages and adds Yarn resolutions to force safe minimatch/serialize-javascript versions across transitive dependency trees (and drops the prior socket.io-parser pin).

Updates test fixtures and assertions to match refreshed dependency versions (e.g. Vite version shown in Launchpad dependency-warning e2e tests) and refreshes Angular system-test project dependencies; also bumps CI cache version and records the dependency updates in the CLI changelog.

Written by Cursor Bugbot for commit fd19d1d. This will update automatically on new commits. Configure here.

@MuazOthman
fix(deps): remediate package vulnerabilities
361d7f2 
- Bump minimatch from 3.1.2 to 3.1.3 in data-context, driver, and
  network packages to address ReDoS vulnerability
- Add yarn resolutions to pin minimatch across transitive dependencies
  (lerna, nx, editorconfig, graphql-config, mocha, serve-handler)
- Add serialize-javascript 7.0.3 resolution to fix XSS vulnerability
- Remove obsolete socket.io-parser resolution
- Bump vite from 3.2.11 to 4.5.12 in outdated-deps test projects and
  update corresponding e2e test assertions
- Bump Angular 21 test project dependencies from ^21.0.0 to ^21.2.0
cursor[bot]
cursor bot reviewed Mar 11, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

MuazOthman and others added 3 commits March 10, 2026 22:11
@MuazOthman
fix(deps): pin mocha minimatch resolution to 3.1.3
21cc0fc 
- Change mocha-7.2.0/minimatch resolution from 5.1.8 to 3.1.3 since
  mocha 7.2.0 depends on minimatch ^3.0.4, which is incompatible with
  the 5.x major version. This removes the unused minimatch@5.1.8 entry
  from yarn.lock.
@MuazOthman
docs(changelog): add entries for minimatch and serialize-javascript u…
81278c5 
…pgrades

- Add dependency update changelog entries for minimatch 3.1.3 and
  serialize-javascript 7.0.3 vulnerability remediations in PR #33461
@MuazOthman
Merge branch 'develop' into muaz/vuln-20260310
84c5722
@cypress
Copy link

cypress bot commented Mar 11, 2026
edited
Loading

cypress    Run #69324

Run Properties:  status check passed Passed #69324  •  git commit fd19d1dead: chore: update CI cache version to 03-10-2026
Project cypress
Branch Review muaz/vuln-20260310
Run status status check passed Passed #69324
Run duration 16m 56s
Commit git commit fd19d1dead: chore: update CI cache version to 03-10-2026
Committer Muaz Othman
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 1
Tests that did not run due to a developer annotating a test with .skip  Pending 10
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 647
View all changes introduced in this branch ↗︎
UI Coverage  0%
  Untested elements 4  
  Tested elements 0  
Accessibility  100%
  Failed rules  0 critical   0 serious   0 moderate   0 minor
  Failed elements 0  

@jennifer-shehane jennifer-shehane changed the title fix(deps): remediate minimatch, serialize-javascript, and vite vulnerabilities dependency: remediate minimatch, serialize-javascript, and vite vulnerabilities Mar 11, 2026
@jennifer-shehane
Copy link
Member

jennifer-shehane commented Mar 11, 2026

@MuazOthman The Semantic Pull Request check is failing because we're in the middle of a release, so ignore that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MuazOthman @jennifer-shehane