Skip to content

Comments

UID2-6617: Fix CVE-2026-26996 minimatch ReDoS vulnerability#994

Merged
ssundahlTTD merged 1 commit intomainfrom
syw-UID2-6617-fix-minimatch-redos
Feb 20, 2026
Merged

UID2-6617: Fix CVE-2026-26996 minimatch ReDoS vulnerability#994
ssundahlTTD merged 1 commit intomainfrom
syw-UID2-6617-fix-minimatch-redos

Conversation

@sunnywu
Copy link
Contributor

@sunnywu sunnywu commented Feb 20, 2026

Summary

Fixes UID2-6617

  • Adds minimatch: "^10.2.1" to the overrides field in package.json to resolve CVE-2026-26996 (HIGH severity)
  • CVE-2026-26996: ReDoS vulnerability in minimatch via repeated wildcards with a non-matching literal in the pattern
  • Previously installed version: 3.1.2 (via transitive deps from serve-handler, eslint, glob)
  • After fix: all instances upgraded to 10.2.2

Test plan

  • Verify no minimatch versions below 10.2.1 appear in package-lock.json
  • Confirm Trivy vulnerability scan passes with no HIGH/CRITICAL findings for minimatch
  • Confirm docusaurus build still works: npm run build

🤖 Generated with Claude Code

@sunnywu @claude
UID2-6617: Fix CVE-2026-26996 minimatch ReDoS vulnerability
96bae68 
Add minimatch override to ^10.2.1 to resolve CVE-2026-26996 (HIGH severity
ReDoS vulnerability via repeated wildcards with non-matching literal in pattern).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ssundahlTTD ssundahlTTD merged commit 1e66682 into main Feb 20, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ssundahlTTD ssundahlTTD ssundahlTTD approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunnywu @ssundahlTTD