Skip to content

fix: update minimatch to resolve CVE-2026-27903#36

Open
liliwilson wants to merge 1 commit into
mainfrom
independabot/minimatch-cve-2026-27903
Open

fix: update minimatch to resolve CVE-2026-27903#36
liliwilson wants to merge 1 commit into
mainfrom
independabot/minimatch-cve-2026-27903

Conversation

@liliwilson

@liliwilson liliwilson commented Jun 15, 2026

Copy link
Copy Markdown

Updates minimatch override in package.json from ^9.0.5 to ^9.0.7 to resolve CVE-2026-27903, a ReDoS vulnerability in minimatch caused by combinatorial backtracking via multiple non-adjacent GLOBSTAR segments.

Advisory: GHSA-7r86-cg39-jmmj
CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-27903
Dependabot alert: https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/5

What changed: Updated minimatch override in overrides, pnpm.overrides, and resolutions from ^9.0.5 to ^9.0.7. pnpm-lock.yaml now resolves minimatch@9.0.9. pnpm audit no longer reports CVE-2026-27903. Build and 329 tests pass.

Conversation: https://staging.warp.dev/conversation/1062daaf-d304-4e45-8c7f-acbabcedb493
Run: https://oz.staging.warp.dev/runs/019ecc2b-2466-7e5f-9df7-fb250c0e60bc
This PR was generated with Oz.

@oz-agent
fix: update minimatch to resolve CVE-2026-27903
a833be1 
Co-Authored-By: Oz <oz-agent@warp.dev>
@liliwilson liliwilson requested a review from ianhodge June 15, 2026 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianhodge ianhodge Awaiting requested review from ianhodge

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liliwilson @oz-agent