Skip to content

Commit a810dd8

Browse files
committed
fix: override minimatch to resolve high-severity ReDoS advisories
Pin transitive minimatch to >=9.0.7 via pnpm overrides so CI pnpm audit passes on the @n8n/node-cli eslint toolchain path.
1 parent 2bf488b commit a810dd8

3 files changed

Lines changed: 7 additions & 33 deletions

File tree

SECURITY.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ This repository uses defenses against npm supply-chain worms such as **Mini Shai
1313
- **Blocklist scan**`pnpm run audit:supply-chain` checks the lockfile against `security/compromised-packages.json` and validates pnpm config.
1414
- **Delayed updates**`minimumReleaseAge` (24h, strict) reduces exposure to freshly published malicious versions.
1515
- **No exotic transitive deps**`blockExoticSubdeps` blocks git/tarball transitive resolutions.
16-
- **Version overrides** — known CVEs are mitigated via `overrides` in `pnpm-workspace.yaml` (e.g. `lodash`, `uuid`).
16+
- **Version overrides** — known CVEs are mitigated via `overrides` in `pnpm-workspace.yaml` (e.g. `lodash`, `uuid`, `minimatch`).
1717

1818
### Enforcing pnpm for contributors
1919

pnpm-lock.yaml

Lines changed: 5 additions & 32 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ packages:
55
overrides:
66
lodash: '>=4.18.0'
77
uuid: '11.1.1'
8+
minimatch: '>=9.0.7'
89
# npm dist-tag stable; block 2.23+ beta-channel releases
910
n8n-workflow: '2.22.3'
1011

0 commit comments

Comments
 (0)