Skip to content

UID2-6617: Fix CVE-2026-26996 minimatch ReDoS vulnerability#168

Merged
ssundahlTTD merged 3 commits intomainfrom
syw-UID2-6617-fix-minimatch-redos
Feb 20, 2026
Merged

UID2-6617: Fix CVE-2026-26996 minimatch ReDoS vulnerability#168
ssundahlTTD merged 3 commits intomainfrom
syw-UID2-6617-fix-minimatch-redos

Conversation

@sunnywu
Copy link
Contributor

@sunnywu sunnywu commented Feb 20, 2026
edited
Loading

Summary

Fixes UID2-6617

CVE-2026-26996: ReDoS vulnerability in minimatch via repeated wildcards with a non-matching literal.

Approach

Yarn v1's flat node_modules model cannot install two versions of minimatch simultaneously. A global resolutions override forces 10.2.2 for all packages — but eslint-plugin-import 2.x calls minimatch() as a callable default export (pre-v6 API), which breaks under minimatch v10:

TypeError: (0, _minimatch2.default) is not a function

Instead, a scoped Yarn resolution is used to upgrade minimatch only for nodemon (the only production dependency that uses minimatch):

"resolutions": {
  "nodemon/minimatch": "^10.2.1"
}

All other minimatch instances (^3.1.2, ^5.0.1) are in devDependencies only (eslint, jest, eslint-plugin-import, etc.) and revert to their natural 3.1.2 / 5.1.6 versions. These are suppressed in .trivyignore with expiry 2027-02-20 and justification that:

  • They are unreachable at runtime in the production application
  • They process file-path patterns from config files, not untrusted user input
  • Upgrading eslint-plugin-import to support minimatch v10 requires migrating to ESLint v9 (separate effort)

For npm-based repos, nested overrides work correctly; for Yarn v1, the scoped resolution + trivyignore is the correct approach.

Result

Package Version CVE status
nodemon (prod) minimatch 10.2.2 Fixed via scoped resolution
eslint-plugin-import, eslint, jest (devDeps) minimatch 3.1.2 Suppressed in .trivyignore
jake/filelist (devDeps) minimatch 5.1.6 Suppressed in .trivyignore

Test plan

  • Confirm yarn lint passes without errors
  • Confirm Trivy vulnerability scan passes (CVE-2026-26996 suppressed via .trivyignore for dev-only packages)
  • Verify yarn.lock shows nodemon/minimatch resolves to 10.2.2
  • Confirm app builds and tests pass

🤖 Generated with Claude Code

sunnywu and others added 2 commits February 20, 2026 13:16
@sunnywu @claude
UID2-6617: Fix CVE-2026-26996 minimatch ReDoS vulnerability
c79c2e7 
Add minimatch ^10.2.1 to overrides and resolutions in package.json to
resolve CVE-2026-26996 (HIGH severity ReDoS via repeated wildcards with
non-matching literal in pattern). Previously minimatch 3.1.2 was pulled in
transitively by eslint, nodemon, jest, and other packages. All instances
are now resolved to 10.2.2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sunnywu @claude
UID2-6617: Fix lint breakage from minimatch v10 API incompatibility
6adb183 
Scope the minimatch resolution so eslint-plugin-import keeps using v3.1.2,
which requires minimatch to be callable as a function (default export). The
global v10.2.1 override broke lint with 'TypeError: minimatch is not a function'.
All other packages continue to use minimatch ^10.2.1 via the global resolution.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 20, 2026
View reviewed changes
@sunnywu @claude
UID2-6617: Fix lint breakage from minimatch v10 API incompatibility
6c76208 
Replace the global Yarn resolution (minimatch -> 10.2.2) with a scoped
resolution that only upgrades nodemon's minimatch to 10.2.2. All other
packages (eslint-plugin-import, eslint, jest and other devDeps) revert
to their natural 3.1.2 or 5.1.6, restoring lint compatibility.

eslint-plugin-import 2.x calls minimatch() as a default-export function
(pre-v6 API). Yarn v1's flat node_modules cannot install two separate
minimatch versions without a nested installation that the flat model
doesn't support when a global resolution is also present.

Result:
- nodemon (production dep): minimatch 10.2.2 (CVE fixed via scoped resolution)
- eslint/jest devDeps: minimatch 3.1.2 / 5.1.6 (suppressed in .trivyignore)

Add .trivyignore to suppress CVE-2026-26996 for dev-only minimatch
instances. Expiry 2027-02-20 to revisit when ESLint is upgraded.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ssundahlTTD ssundahlTTD merged commit c83d806 into main Feb 20, 2026
4 checks passed
@ssundahlTTD ssundahlTTD deleted the syw-UID2-6617-fix-minimatch-redos branch February 20, 2026 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ssundahlTTD ssundahlTTD ssundahlTTD approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunnywu @ssundahlTTD