Skip to content

feat: upgrade minimatch to v10.0.3#5291

Merged
dmichon-msft merged 5 commits intomicrosoft:mainfrom
robdefeo:upgrade-minimatch-to-v10
Jul 31, 2025
Merged

feat: upgrade minimatch to v10.0.3#5291
dmichon-msft merged 5 commits intomicrosoft:mainfrom
robdefeo:upgrade-minimatch-to-v10

Conversation

@robdefeo
Copy link
Contributor

@robdefeo robdefeo commented Jul 30, 2025
edited
Loading

Summary

This PR upgrades the minimatch dependency from ~3.0.3 to 10.0.3 across the entire Rush monorepo to address a Regular Expression Denial of Service (ReDoS) vulnerability in the underlying brace-expansion dependency.

🔒 Security Issue
Vulnerability: GHSA-v6h2-p8h4-qcjw - CVE-2025-5889
Severity: Low (CVSS 1.3/10)
Impact: ReDoS vulnerability in brace-expansion dependency used by older versions of minimatch

The vulnerability affects the brace-expansion package versions:

= 2.0.0, <= 2.0.1
= 1.0.0, <= 1.1.11
= 3.0.0
= 4.0.0
While the severity is rated as low, upgrading eliminates this attack vector entirely.

Details

Dependency Updates

  • minimatch: ~3.0.3 → 10.0.3
  • @types/minimatch: 3.0.5 → 6.0.0

API Breaking Changes Fixed

Minimatch v10 introduced breaking changes in its export structure. Updated import statements:

Before (v3):

import minimatch from 'minimatch';

After (v10):

import { minimatch } from 'minimatch';

Files Updated

  • Collector.ts - Fixed import statement
  • WebpackConfigurationUpdater.ts - Fixed import statement
  • Multiple package.json files across the monorepo
    Lock files and repo state hashes updated

Configuration Management

  • Added minimatch: "10.0.3" and @types/minimatch: "6.0.0" to common-versions.json preferredVersions
  • Used Rush's automated dependency management via rush add commands
  • Ensured consistent versions across all projects

How it was tested

  • rush check - No dependency mismatches
  • rush build - All packages build successfully
  • rush test - All tests pass
  • Verified API compatibility fixes work correctly

@robdefeo
feat: upgrade minimatch to v10.0.3
9fdb064 
- Update minimatch dependency from ~3.0.3 to 10.0.3 across monorepo
- Update @types/minimatch from 3.0.5 to 6.0.0
- Fix breaking API changes: switch from default import to named import
  - api-extractor: `import minimatch from 'minimatch'` → `import { minimatch } from 'minimatch'`
  - webpack4-localization-plugin: same import pattern update
- Centralize version management via common-versions.json preferredVersions
- Update lock files and repo state hashes for both subspaces

Breaking change: minimatch v10 uses named exports instead of default export
@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Jul 30, 2025
@robdefeo
Copy link
Contributor Author

robdefeo commented Jul 30, 2025
edited
Loading

@robdefeo please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Vidos Ltd"

@robdefeo
Copy link
Contributor Author

robdefeo commented Jul 30, 2025

@robdefeo the command you issued was incorrect. Please try again.

Examples are:

@microsoft-github-policy-service agree

and

@microsoft-github-policy-service agree company="your company"

@microsoft-github-policy-service agree company="Vidos Ltd"

dmichon-msft
dmichon-msft reviewed Jul 30, 2025
View reviewed changes
Copy link
Contributor

@dmichon-msft dmichon-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need @types/minimatch at all anymore, but otherwise this looks fine.

robdefeo added 2 commits July 31, 2025 08:14
@robdefeo
chore: remove @types/minimatch
4e8e280
@robdefeo
fix: update IMinimatch interface to Minimatch class in package-extractor
ce99810 
- minimatch v10 renamed IMinimatch interface to Minimatch class
- Update type annotations to use the new class name
@robdefeo robdefeo requested a review from dmichon-msft July 31, 2025 07:04
@dmichon-msft dmichon-msft merged commit cd4b4f1 into microsoft:main Jul 31, 2025
5 checks passed
@github-project-automation github-project-automation bot moved this from Needs triage to Closed in Bug Triage Jul 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmichon-msft dmichon-msft dmichon-msft approved these changes

@iclanton iclanton Awaiting requested review from iclanton iclanton is a code owner

@octogonz octogonz Awaiting requested review from octogonz octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms is a code owner

@D4N14L D4N14L Awaiting requested review from D4N14L

@TheLarkInn TheLarkInn Awaiting requested review from TheLarkInn TheLarkInn is a code owner

@patmill patmill Awaiting requested review from patmill

Assignees

No one assigned

Labels

None yet

Projects

Bug Triage
Status: Closed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@robdefeo @dmichon-msft