From 8d5e687a8706ef1b8a232a9fe3835d07fb86d386 Mon Sep 17 00:00:00 2001 From: CCS Admin Date: Sun, 22 Feb 2026 10:52:01 +0000 Subject: [PATCH] fix(security): add minimatch >=10.2.1 override (CVE-2026-26996) Resolves ReDoS vulnerability in minimatch via eslint dependency chain. --- package.json | 7 ++++++- pnpm-lock.yaml | 50 ++++++++++++++------------------------------------ 2 files changed, 20 insertions(+), 37 deletions(-) diff --git a/package.json b/package.json index 46c1448..f591678 100644 --- a/package.json +++ b/package.json @@ -29,5 +29,10 @@ "tailwindcss": "^4.2.0", "typescript": "^5.9.3" }, - "packageManager": "pnpm@10.26.0" + "packageManager": "pnpm@10.26.0", + "pnpm": { + "overrides": { + "minimatch": ">=10.2.1" + } + } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index a82122f..a6c6463 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + minimatch: '>=10.2.1' + importers: .: @@ -778,9 +781,6 @@ packages: resolution: {integrity: sha512-qIj0G9wZbMGNLjLmg1PT6v2mE9AH2zlnADJD/2tC6E00hgmhUOfEB6greHPAfLRSufHqROIUTkw6E+M3lH0PTQ==} engines: {node: '>= 0.4'} - balanced-match@1.0.2: - resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} - balanced-match@4.0.3: resolution: {integrity: sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==} engines: {node: 20 || >=22} @@ -790,9 +790,6 @@ packages: engines: {node: '>=6.0.0'} hasBin: true - brace-expansion@1.1.12: - resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==} - brace-expansion@5.0.2: resolution: {integrity: sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==} engines: {node: 20 || >=22} @@ -843,9 +840,6 @@ packages: color-name@1.1.4: resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==} - concat-map@0.0.1: - resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} - convert-source-map@2.0.0: resolution: {integrity: sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==} @@ -1525,12 +1519,9 @@ packages: resolution: {integrity: sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==} engines: {node: '>=8.6'} - minimatch@3.1.3: - resolution: {integrity: sha512-M2GCs7Vk83NxkUyQV1bkABc4yxgz9kILhHImZiBPAZ9ybuvCb0/H7lEl5XvIg3g+9d4eNotkZA5IWwYl0tibaA==} - - minimatch@9.0.6: - resolution: {integrity: sha512-kQAVowdR33euIqeA0+VZTDqU+qo1IeVY+hrKYtZMio3Pg0P0vuh/kwRylLUddJhB6pf3q/botcOvRtx4IN1wqQ==} - engines: {node: '>=16 || 14 >=14.17'} + minimatch@10.2.2: + resolution: {integrity: sha512-+G4CpNBxa5MprY+04MbgOw1v7So6n5JY166pFi9KfYwT78fxScCeSNQSNzp6dpPSW2rONOps6Ocam1wFhCgoVw==} + engines: {node: 18 || 20 || >=22} minimist@1.2.8: resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==} @@ -2118,7 +2109,7 @@ snapshots: dependencies: '@eslint/object-schema': 2.1.7 debug: 4.4.3 - minimatch: 3.1.3 + minimatch: 10.2.2 transitivePeerDependencies: - supports-color @@ -2139,7 +2130,7 @@ snapshots: ignore: 5.3.2 import-fresh: 3.3.1 js-yaml: 4.1.1 - minimatch: 3.1.3 + minimatch: 10.2.2 strip-json-comments: 3.1.1 transitivePeerDependencies: - supports-color @@ -2496,7 +2487,7 @@ snapshots: '@typescript-eslint/types': 8.56.0 '@typescript-eslint/visitor-keys': 8.56.0 debug: 4.4.3 - minimatch: 9.0.6 + minimatch: 10.2.2 semver: 7.7.4 tinyglobby: 0.2.15 ts-api-utils: 2.4.0(typescript@5.9.3) @@ -2679,17 +2670,10 @@ snapshots: axobject-query@4.1.0: {} - balanced-match@1.0.2: {} - balanced-match@4.0.3: {} baseline-browser-mapping@2.10.0: {} - brace-expansion@1.1.12: - dependencies: - balanced-match: 1.0.2 - concat-map: 0.0.1 - brace-expansion@5.0.2: dependencies: balanced-match: 4.0.3 @@ -2742,8 +2726,6 @@ snapshots: color-name@1.1.4: {} - concat-map@0.0.1: {} - convert-source-map@2.0.0: {} cross-spawn@7.0.6: @@ -2991,7 +2973,7 @@ snapshots: hasown: 2.0.2 is-core-module: 2.16.1 is-glob: 4.0.3 - minimatch: 3.1.3 + minimatch: 10.2.2 object.fromentries: 2.0.8 object.groupby: 1.0.3 object.values: 1.2.1 @@ -3019,7 +3001,7 @@ snapshots: hasown: 2.0.2 jsx-ast-utils: 3.3.5 language-tags: 1.0.9 - minimatch: 3.1.3 + minimatch: 10.2.2 object.fromentries: 2.0.8 safe-regex-test: 1.1.0 string.prototype.includes: 2.0.1 @@ -3047,7 +3029,7 @@ snapshots: estraverse: 5.3.0 hasown: 2.0.2 jsx-ast-utils: 3.3.5 - minimatch: 3.1.3 + minimatch: 10.2.2 object.entries: 1.1.9 object.fromentries: 2.0.8 object.values: 1.2.1 @@ -3101,7 +3083,7 @@ snapshots: is-glob: 4.0.3 json-stable-stringify-without-jsonify: 1.0.1 lodash.merge: 4.6.2 - minimatch: 3.1.3 + minimatch: 10.2.2 natural-compare: 1.4.0 optionator: 0.9.4 optionalDependencies: @@ -3542,11 +3524,7 @@ snapshots: braces: 3.0.3 picomatch: 2.3.1 - minimatch@3.1.3: - dependencies: - brace-expansion: 1.1.12 - - minimatch@9.0.6: + minimatch@10.2.2: dependencies: brace-expansion: 5.0.2