Potential Security Vulnerability Detected
Repository: nodejs/node
Commit: ec33dd9
Author: Node.js GitHub Bot
Date: 2026-02-24T18:11:27Z
Commit Message
deps: update minimatch to 10.2.2
PR-URL: https://github.com/nodejs/node/pull/61830
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Pull Request
PR: #61830 - deps: update minimatch to 10.2.2
Labels: author ready, needs-ci, dependencies, lts-watch-v20.x, lts-watch-v22.x, lts-watch-v24.x
Description:
This is an automated update of minimatch to 10.2.2.
Analysis
Vulnerability Type: ReDoS (Regular Expression Denial of Service)
Severity: Medium
Description
The minimatch library had a vulnerability where multiple consecutive asterisks in glob patterns would cause exponential regex backtracking, leading to ReDoS attacks. The patch fixes this by coalescing multiple stars into a single star pattern to prevent catastrophic backtracking.
Affected Code
if (c === '*') {
re += noEmpty && glob === '*' ? starNoEmpty : star;
hasMagic = true;
continue;
}
Proof of Concept
const minimatch = require('minimatch');
// This would cause exponential regex backtracking
minimatch('aaaaaaaaaaaaaaaaaaaaaaaaaaX', '*'.repeat(50000) + 'a');
// The regex engine will spend exponential time trying to match the pattern
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-02-27T23:39:49.349Z
Potential Security Vulnerability Detected
Repository: nodejs/node
Commit: ec33dd9
Author: Node.js GitHub Bot
Date: 2026-02-24T18:11:27Z
Commit Message
Pull Request
PR: #61830 - deps: update minimatch to 10.2.2
Labels: author ready, needs-ci, dependencies, lts-watch-v20.x, lts-watch-v22.x, lts-watch-v24.x
Description:
This is an automated update of minimatch to 10.2.2.
Analysis
Vulnerability Type: ReDoS (Regular Expression Denial of Service)
Severity: Medium
Description
The minimatch library had a vulnerability where multiple consecutive asterisks in glob patterns would cause exponential regex backtracking, leading to ReDoS attacks. The patch fixes this by coalescing multiple stars into a single star pattern to prevent catastrophic backtracking.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-02-27T23:39:49.349Z