Skip to content

chore: updating minimatch#885

Draft
isaacs wants to merge 1 commit intomainfrom
isaacschlueter/js-1765-vulnerable-dependency-minimatch
Draft

chore: updating minimatch#885
isaacs wants to merge 1 commit intomainfrom
isaacschlueter/js-1765-vulnerable-dependency-minimatch

Conversation

@isaacs
Copy link
Member

@isaacs isaacs commented Feb 19, 2026

Add minimatch@10.2.2 dev dep in the root to push outdated versions into duplicates, and local packages were updated to use minimatch v10.

The following packages depend on minimatch v3:

  • @eslint/eslintrc
  • @humanwhocodes/config-array
  • @jest/core
  • copy-concurrently
  • eslint
  • eslint-plugin-react
  • jest-circus
  • jest-config
  • jest-runner
  • move-concurrently
  • rimraf
  • terser-webpack-plugin
  • test-exclude

Finally, @rollup/plugin-commonjs depends on minimatch 5.1.6.

A fix will be backported to resolve the ReDOS on v3 and v5, which can then be updated here.

@linear
Copy link

linear bot commented Feb 19, 2026

JS-1765 Vulnerable dependency: Minimatch

@isaacs
chore: updating minimatch (#885)
f1d3304 
Add minimatch@10.2.2 dev dep in the root to push outdated versions into
duplicates, and local packages were updated to use minimatch v10.

The following packages depend on minimatch v3:

- @eslint/eslintrc
- @humanwhocodes/config-array
- @jest/core
- copy-concurrently
- eslint
- eslint-plugin-react
- jest-circus
- jest-config
- jest-runner
- move-concurrently
- rimraf
- terser-webpack-plugin
- test-exclude

Finally, `@rollup/plugin-commonjs` depends on minimatch 5.1.6.

A fix will be backported to resolve the ReDOS on v3 and v5, which can
then be updated here.
@github-actions
Copy link

github-actions bot commented Feb 19, 2026
edited
Loading

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

Bug Fixes 🐛

  • (webpack) Deduplicate webpack deploys by chargome in #875

Internal Changes 🔧

  • Updating minimatch by isaacs in #885
  • Migrate to oxfmt by timfish in #880
  • Build with Rolldown by timfish in #872
  • Remove unplugin by timfish in #876
  • Rollup/Vite no longer uses unplugin by timfish in #858
  • Esbuild no longer uses unplugin by timfish in #871
  • Webpack no longer uses unplugin by timfish in #870

🤖 This preview updates automatically when you update the PR.

@isaacs isaacs force-pushed the isaacschlueter/js-1765-vulnerable-dependency-minimatch branch from 9c89009 to f1d3304 Compare February 19, 2026 18:20
isaacs added a commit to getsentry/sentry-javascript that referenced this pull request Feb 19, 2026
@isaacs
chore: updating minimatch
0926993 
- Adding a devDependency on minimatch in the root, so that all outdated
  versions get pushed into duplicates.
- Updated `minimatch` direct dependency packages/node,
  packages/react-router, and packages/remix
- Once getsentry/sentry-javascript-bundler-plugins#885 lands, we can
  update the dependency coming in from `@sentry/bundler-plugin-core`

There are several other dependencies that transitively bring in a
minimatch v3, v5, v8, or v9. Fixes for the ReDOS will be backported
where those dependencies cannot be easily updated.
@isaacs isaacs mentioned this pull request Feb 19, 2026
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@isaacs

Comments