Skip to content

Fix minimatch security alerts#11213

Merged
WiXSL merged 2 commits intomasterfrom
fix-minimatch-alerts
Mar 30, 2026
Merged

Fix minimatch security alerts#11213
WiXSL merged 2 commits intomasterfrom
fix-minimatch-alerts

Conversation

@WiXSL
Copy link
Copy Markdown
Collaborator

@WiXSL WiXSL commented Mar 30, 2026
edited
Loading

Summary

Update the vulnerable minimatch lockfile resolutions in the 9.x and 10.x lines.

Alerts

Why

Dependabot reports two minimatch alerts:

  • = 9.0.0, < 9.0.7

  • = 10.0.0, < 10.2.3

This repository already allows secure versions through transitive semver ranges, but the lockfile was still pinned to vulnerable releases.

Impact

This closes both minimatch security alerts without changing direct dependencies.

Validation

  • yarn why minimatch
  • Verified ^9.0.4 resolves to 9.0.9
  • Verified ^10.1.1 resolves to 10.2.4
  • Diff is limited to yarn.lock

@WiXSL WiXSL added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 30, 2026
@WiXSL WiXSL marked this pull request as ready for review March 30, 2026 15:40
@WiXSL WiXSL added this to the 5.14.5 milestone Mar 30, 2026
@WiXSL WiXSL merged commit ff5cd0c into master Mar 30, 2026
15 checks passed
@WiXSL WiXSL deleted the fix-minimatch-alerts branch March 30, 2026 16:07
@ThieryMichel ThieryMichel mentioned this pull request Mar 31, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

5.14.5

Development

Successfully merging this pull request may close these issues.

1 participant

@WiXSL