UID2-6617: Fix lint breakage from minimatch v10 API incompatibility

sunnywu · claude · sunnywu · commit 6c76208edcc6 · 2026-02-20T16:08:09.000+11:00
Replace the global Yarn resolution (minimatch -> 10.2.2) with a scoped resolution that only upgrades nodemon's minimatch to 10.2.2. All other packages (eslint-plugin-import, eslint, jest and other devDeps) revert to their natural 3.1.2 or 5.1.6, restoring lint compatibility. eslint-plugin-import 2.x calls minimatch() as a default-export function (pre-v6 API). Yarn v1's flat node_modules cannot install two separate minimatch versions without a nested installation that the flat model doesn't support when a global resolution is also present. Result: - nodemon (production dep): minimatch 10.2.2 (CVE fixed via scoped resolution) - eslint/jest devDeps: minimatch 3.1.2 / 5.1.6 (suppressed in .trivyignore) Add .trivyignore to suppress CVE-2026-26996 for dev-only minimatch instances. Expiry 2027-02-20 to revisit when ESLint is upgraded. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,19 @@
+# CVE-2026-26996: minimatch ReDoS vulnerability
+# Tracked in: https://thetradedesk.atlassian.net/browse/UID2-6617
+#
+# Suppressed for minimatch 3.1.2 and 5.1.6 which are pulled in ONLY by
+# devDependencies (eslint, eslint-plugin-import, eslint-plugin-jsx-a11y,
+# eslint-plugin-react, jest/test-exclude, jake/filelist). These versions
+# are not reachable at runtime in the production application.
+#
+# The production dependency (nodemon) is pinned to minimatch ^10.2.1
+# via a Yarn selective resolution, which resolves to 10.2.2 (fixed).
+#
+# Yarn v1's flat node_modules model cannot install two different versions
+# of minimatch simultaneously without breaking eslint-plugin-import, which
+# calls minimatch() as a default-export function (pre-v6 API). Upgrading
+# eslint-plugin-import to a version supporting minimatch v10 requires
+# migrating to ESLint v9, which is a separate effort.
+#
+# Expires: 2027-02-20 — revisit when eslint-plugin-import or ESLint is upgraded.
+CVE-2026-26996 exp:2027-02-20
diff --git a/package.json b/package.json
@@ -95,8 +95,7 @@
   },
   "resolutions": {
     "jws": "4.0.1",
-    "minimatch": "^10.2.1",
-    "eslint-plugin-import/**/minimatch": "3.1.2",
+    "nodemon/minimatch": "^10.2.1",
     "qs": "6.14.1"
   }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -1541,6 +1541,13 @@ brace-expansion@^1.1.7:
     balanced-match "^1.0.0"
     concat-map "0.0.1"
 
+brace-expansion@^2.0.1:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-2.0.2.tgz#54fc53237a613d854c7bd37463aad17df87214e7"
+  integrity sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==
+  dependencies:
+    balanced-match "^1.0.0"
+
 brace-expansion@^5.0.2:
   version "5.0.2"
   resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-5.0.2.tgz#b6c16d0791087af6c2bc463f52a8142046c06b6f"
@@ -4255,19 +4262,26 @@ mimic-fn@^2.1.0:
   resolved "https://registry.npmjs.org/mimic-fn/-/mimic-fn-2.1.0.tgz"
   integrity sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==
 
-minimatch@3.1.2:
+minimatch@^10.2.1:
+  version "10.2.2"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-10.2.2.tgz#361603ee323cfb83496fea2ae17cc44ea4e1f99f"
+  integrity sha512-+G4CpNBxa5MprY+04MbgOw1v7So6n5JY166pFi9KfYwT78fxScCeSNQSNzp6dpPSW2rONOps6Ocam1wFhCgoVw==
+  dependencies:
+    brace-expansion "^5.0.2"
+
+minimatch@^3.0.4, minimatch@^3.1.1, minimatch@^3.1.2:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
   integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
   dependencies:
     brace-expansion "^1.1.7"
 
-minimatch@^10.2.1, minimatch@^3.0.4, minimatch@^3.1.1, minimatch@^3.1.2, minimatch@^5.0.1:
-  version "10.2.2"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-10.2.2.tgz#361603ee323cfb83496fea2ae17cc44ea4e1f99f"
-  integrity sha512-+G4CpNBxa5MprY+04MbgOw1v7So6n5JY166pFi9KfYwT78fxScCeSNQSNzp6dpPSW2rONOps6Ocam1wFhCgoVw==
+minimatch@^5.0.1:
+  version "5.1.6"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-5.1.6.tgz#1cfcb8cf5522ea69952cd2af95ae09477f122a96"
+  integrity sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==
   dependencies:
-    brace-expansion "^5.0.2"
+    brace-expansion "^2.0.1"
 
 minimist@^1.2.0, minimist@^1.2.5, minimist@^1.2.6:
   version "1.2.8"

Original file line number	Diff line number	Diff line change
`@@ -95,8 +95,7 @@`
`95`	`95`	`},`
`96`	`96`	`"resolutions": {`
`97`	`97`	`"jws": "4.0.1",`
`98`		`- "minimatch": "^10.2.1",`
`99`		`- "eslint-plugin-import/**/minimatch": "3.1.2",`
	`98`	`+ "nodemon/minimatch": "^10.2.1",`
`100`	`99`	`"qs": "6.14.1"`
`101`	`100`	`}`
`102`	`101`	`}`