Skip to content

feat: upgrade minimatch to v10.0.3 #5291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 31, 2025
Merged

feat: upgrade minimatch to v10.0.3 #5291

merged 5 commits into from
Jul 31, 2025

Conversation

robdefeo
Copy link
Contributor

@robdefeo robdefeo commented Jul 30, 2025
edited
Loading

Summary

This PR upgrades the minimatch dependency from ~3.0.3 to 10.0.3 across the entire Rush monorepo to address a Regular Expression Denial of Service (ReDoS) vulnerability in the underlying brace-expansion dependency.

🔒 Security Issue
Vulnerability: GHSA-v6h2-p8h4-qcjw - CVE-2025-5889
Severity: Low (CVSS 1.3/10)
Impact: ReDoS vulnerability in brace-expansion dependency used by older versions of minimatch

The vulnerability affects the brace-expansion package versions:

= 2.0.0, <= 2.0.1
= 1.0.0, <= 1.1.11
= 3.0.0
= 4.0.0
While the severity is rated as low, upgrading eliminates this attack vector entirely.

Details

Dependency Updates

  • minimatch: ~3.0.3 → 10.0.3
  • @types/minimatch: 3.0.5 → 6.0.0

API Breaking Changes Fixed

Minimatch v10 introduced breaking changes in its export structure. Updated import statements:

Before (v3):

import minimatch from 'minimatch';

After (v10):

import { minimatch } from 'minimatch';

Files Updated

  • Collector.ts - Fixed import statement
  • WebpackConfigurationUpdater.ts - Fixed import statement
  • Multiple package.json files across the monorepo
    Lock files and repo state hashes updated

Configuration Management

  • Added minimatch: "10.0.3" and @types/minimatch: "6.0.0" to common-versions.json preferredVersions
  • Used Rush's automated dependency management via rush add commands
  • Ensured consistent versions across all projects

How it was tested

  • rush check - No dependency mismatches
  • rush build - All packages build successfully
  • rush test - All tests pass
  • Verified API compatibility fixes work correctly

@robdefeo
feat: upgrade minimatch to v10.0.3
9fdb064 
- Update minimatch dependency from ~3.0.3 to 10.0.3 across monorepo
- Update @types/minimatch from 3.0.5 to 6.0.0
- Fix breaking API changes: switch from default import to named import
  - api-extractor: `import minimatch from 'minimatch'` → `import { minimatch } from 'minimatch'`
  - webpack4-localization-plugin: same import pattern update
- Centralize version management via common-versions.json preferredVersions
- Update lock files and repo state hashes for both subspaces

Breaking change: minimatch v10 uses named exports instead of default export
@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Jul 30, 2025
@robdefeo
Copy link
Contributor Author

robdefeo commented Jul 30, 2025
edited
Loading

@robdefeo please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Vidos Ltd"

@robdefeo
Copy link
Contributor Author

@robdefeo the command you issued was incorrect. Please try again.

Examples are:

@microsoft-github-policy-service agree

and

@microsoft-github-policy-service agree company="your company"

@microsoft-github-policy-service agree company="Vidos Ltd"

dmichon-msft
dmichon-msft reviewed Jul 30, 2025
View reviewed changes
Copy link
Contributor

@dmichon-msft dmichon-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need @types/minimatch at all anymore, but otherwise this looks fine.

robdefeo added 2 commits July 31, 2025 08:14
@robdefeo
chore: remove @types/minimatch
4e8e280
@robdefeo
fix: update IMinimatch interface to Minimatch class in package-extractor
ce99810 
- minimatch v10 renamed IMinimatch interface to Minimatch class
- Update type annotations to use the new class name
@robdefeo robdefeo requested a review from dmichon-msft July 31, 2025 07:04
@dmichon-msft dmichon-msft merged commit cd4b4f1 into microsoft:main Jul 31, 2025
5 checks passed
@github-project-automation github-project-automation bot moved this from Needs triage to Closed in Bug Triage Jul 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmichon-msft dmichon-msft dmichon-msft approved these changes

@iclanton iclanton Awaiting requested review from iclanton iclanton is a code owner

@octogonz octogonz Awaiting requested review from octogonz octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms is a code owner

@D4N14L D4N14L Awaiting requested review from D4N14L D4N14L is a code owner

@TheLarkInn TheLarkInn Awaiting requested review from TheLarkInn TheLarkInn is a code owner

@patmill patmill Awaiting requested review from patmill patmill is a code owner

Assignees
No one assigned
Labels
None yet
Projects
Bug Triage
Status: Closed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@robdefeo @dmichon-msft