From 210e1fbdc01eee3a51cefc94c9a8bb359cf36f04 Mon Sep 17 00:00:00 2001 From: Galib Sarayev Date: Fri, 6 Mar 2026 13:24:23 +0000 Subject: [PATCH] fix(amplify-codegen): add minimatch resolution to fix CVE-2026-26996 (ReDoS) All direct parents (eslint@7.32.0, jest@27.5.1, lerna@5.6.2, copyfiles@2.4.1, codecov@3.8.3, @commitlint/config-lerna-scopes@17.8.1) are already at their latest versions within their current major. Their semver ranges (^3.0.x) accept minimatch@3.1.3+, but the lockfile had resolved to 3.1.2 (the latest at the time). Additionally, nx@15 (via lerna@5) pinned minimatch@3.0.5. No amount of bumping direct parents within their current majors changes this. Resolution 'minimatch': '^3.1.3' forces all instances to 3.1.5 (latest 3.x), eliminating all three vulnerable versions (3.0.5, 3.1.2, 5.1.6). --- dependency_licenses.txt | 20 -------------------- package.json | 3 ++- yarn.lock | 23 ++++++++--------------- 3 files changed, 10 insertions(+), 36 deletions(-) diff --git a/dependency_licenses.txt b/dependency_licenses.txt index 93e4bead..5691ba39 100644 --- a/dependency_licenses.txt +++ b/dependency_licenses.txt @@ -17477,26 +17477,6 @@ THE SOFTWARE. ----- -The following software may be included in this product: minimatch. A copy of the source code may be downloaded from git://github.com/isaacs/minimatch.git. This software contains the following license and notice below: - -The ISC License - -Copyright (c) 2011-2023 Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - ------ - The following software may be included in this product: minimist-options. A copy of the source code may be downloaded from https://github.com/vadimdemedes/minimist-options.git. This software contains the following license and notice below: The MIT License (MIT) diff --git a/package.json b/package.json index e1317cf4..4815bbba 100644 --- a/package.json +++ b/package.json @@ -148,7 +148,8 @@ "parse-url": "^8.1.0", "tar": "^7.5.8", "xml2js": "0.5.0", - "tmp": "^0.2.4" + "tmp": "^0.2.4", + "minimatch": "^3.1.3" }, "config": { "commitizen": { diff --git a/yarn.lock b/yarn.lock index c8e7e35d..522e973d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -15400,24 +15400,17 @@ min-indent@^1.0.0: resolved "https://registry.npmjs.org/min-indent/-/min-indent-1.0.1.tgz#a63f681673b30571fbe8bc25686ae746eefa9869" integrity sha512-I9jwMn07Sy/IwOj3zVkVik2JTvgpaykDZEigL6Rx6N9LbMywwUSMtxET+7lVoDLLd3O3IXwJwvuuns8UB/HeAg== -minimatch@3.0.5: - version "3.0.5" - resolved "https://registry.npmjs.org/minimatch/-/minimatch-3.0.5.tgz#4da8f1290ee0f0f8e83d60ca69f8f134068604a3" - integrity sha512-tUpxzX0VAzJHjLu0xUfFv1gwVp9ba3IOuRAVH2EGuRW8a5emA2FlACLqiT/lDVtS1W+TGNwqz3sWaNyLgDJWuw== - dependencies: - brace-expansion "^1.1.7" - -minimatch@^3.0.3, minimatch@^3.0.4, minimatch@^3.1.1, minimatch@^3.1.2: - version "3.1.2" - resolved "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b" - integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw== +minimatch@3.0.5, minimatch@^3.0.3, minimatch@^3.0.4, minimatch@^3.1.1, minimatch@^3.1.2, minimatch@^3.1.3, minimatch@^5.0.1: + version "3.1.5" + resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.5.tgz#580c88f8d5445f2bd6aa8f3cadefa0de79fbd69e" + integrity sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w== dependencies: brace-expansion "^1.1.7" -minimatch@^5.0.1: - version "5.1.6" - resolved "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz#1cfcb8cf5522ea69952cd2af95ae09477f122a96" - integrity sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g== +minimatch@^5.1.7: + version "5.1.9" + resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-5.1.9.tgz#1293ef15db0098b394540e8f9f744f9fda8dee4b" + integrity sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw== dependencies: brace-expansion "^2.0.1"