Skip to content

fix(security): resolve high severity minimatch vulnerabilities#11057

Merged
RomneyDa merged 1 commit intomainfrom
fix/minimatch-high-severity-vulnerabilities
Mar 9, 2026
Merged

fix(security): resolve high severity minimatch vulnerabilities#11057
RomneyDa merged 1 commit intomainfrom
fix/minimatch-high-severity-vulnerabilities

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 5, 2026
edited by continue bot
Loading

Summary

This PR fixes 3 high severity vulnerabilities identified by Snyk in the minimatch dependency:

  • SNYK-JS-MINIMATCH-15309438: Regular Expression Denial of Service (ReDoS)
  • SNYK-JS-MINIMATCH-15353387: Regular Expression Denial of Service (ReDoS)
  • SNYK-JS-MINIMATCH-15353389: Inefficient Algorithmic Complexity

Problem

The vulnerable minimatch@9.0.5 was introduced as a transitive dependency through:

@sentry/profiling-node > @sentry/node > minimatch@9.0.5

Solution

Added an npm overrides section in package.json to force all instances of minimatch < 9.0.7 to use ^9.0.7, which contains the security fixes.

Verification

After applying the fix, running npx snyk test confirms that the high severity vulnerabilities are resolved:

  • Before: 3 high severity issues
  • After: 0 high severity issues (only medium license issues remain)

Generated with Continue

Continue Tasks: ✅ 7 no changes — View all

Summary by cubic

Forces minimatch to a patched version via npm overrides to fix three high-severity Snyk vulnerabilities. Snyk now reports 0 high severity issues; the vulnerable transitive minimatch@9.0.5 from @sentry/node is removed.

  • Dependencies
    • Added overrides in extensions/cli/package.json: minimatch@<9.0.7 → ^9.0.7 (resolves to 9.0.9).
    • Regenerated package-lock.json to apply minimatch 9.0.9 and updated brace-expansion across nested deps.

Written for commit 2f0b006. Summary will update on new commits.

fix(security): resolve high severity minimatch vulnerabilities
2f0b006 
Added npm overrides to force minimatch@^9.0.7 for all dependencies
that use vulnerable versions (<9.0.7). This addresses:

- SNYK-JS-MINIMATCH-15309438: ReDoS (High Severity)
- SNYK-JS-MINIMATCH-15353387: ReDoS (High Severity)
- SNYK-JS-MINIMATCH-15353389: Inefficient Algorithmic Complexity (High Severity)

The vulnerable minimatch@9.0.5 was introduced as a transitive dependency
of @sentry/profiling-node > @sentry/node.

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <noreply@continue.dev>
@github-actions github-actions bot requested a review from a team as a code owner March 5, 2026 09:17
@github-actions github-actions bot requested review from Patrick-Erichsen and removed request for a team March 5, 2026 09:17
@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Mar 5, 2026
@continue
Copy link
Contributor

continue bot commented Mar 5, 2026

Docs Review

No documentation updates needed for this PR.

This is an internal security maintenance change that updates minimatch to resolve high-severity vulnerabilities. The changes are limited to:

  • package-lock.json dependency version updates
  • package.json npm overrides configuration

These changes don't affect any public APIs, user-facing features, or configuration options, so no documentation updates are required.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Issues and PRs Mar 9, 2026
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Mar 9, 2026
@RomneyDa RomneyDa closed this Mar 9, 2026
@github-project-automation github-project-automation bot moved this from In Progress to Done in Issues and PRs Mar 9, 2026
@RomneyDa RomneyDa reopened this Mar 9, 2026
@github-project-automation github-project-automation bot moved this from Done to In Progress in Issues and PRs Mar 9, 2026
@github-actions github-actions bot locked and limited conversation to collaborators Mar 9, 2026
@RomneyDa RomneyDa merged commit 3884809 into main Mar 9, 2026
61 of 62 checks passed
@RomneyDa RomneyDa deleted the fix/minimatch-high-severity-vulnerabilities branch March 9, 2026 19:08
@github-project-automation github-project-automation bot moved this from In Progress to Done in Issues and PRs Mar 9, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@RomneyDa RomneyDa RomneyDa approved these changes

@Patrick-Erichsen Patrick-Erichsen Awaiting requested review from Patrick-Erichsen Patrick-Erichsen is a code owner automatically assigned from continuedev/continue-code-reviewers

Assignees

No one assigned

Labels

continue-agent lgtm This PR has been approved by a maintainer size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

Issues and PRs
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RomneyDa