[BUG] CVE-2026-27903 , CVE-2026-27904 from minimatch 10.2.2

[ckcr4lyf]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

I'm sure we're all tired from the previous minimatch 10.2.1 CVE, seems 10.2.2 has two more. Oh well.

Expected Behavior

No response

Steps To Reproduce

Run any vuln scanner on a docker image with npm 11.11.0 (latest as of yesterday) , see CVE due to minimatch 10.2.2

e.g.

Node.js (node-pkg)
==================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌──────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │ Installed Version │                      Fixed Version                      │                            Title                            │
├──────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ minimatch (package.json) │ CVE-2026-27903 │ HIGH     │ fixed  │ 10.2.2            │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 │ minimatch is a minimal matching utility for converting glob │
│                          │                │          │        │                   │                                                         │ expression ...                                              │
│                          │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27903                  │
│                          ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                          │ CVE-2026-27904 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 │ minimatch is a minimal matching utility for converting glob │
│                          │                │          │        │                   │                                                         │ expression ...                                              │
│                          │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27904                  │
└──────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Environment

• npm: 11.11.0
• Node.js: LTS
• OS Name: Docker
• System Model Name:
• npm config:

; copy and paste output from `npm config ls` here

[ckcr4lyf]

/usr/local/lib/node_modules/npm # npm -v
11.11.0
/usr/local/lib/node_modules/npm # npm list minimatch
npm@11.11.0 /usr/local/lib/node_modules/npm
+-- @npmcli/arborist@9.4.0
| `-- minimatch@10.2.2 deduped
+-- @npmcli/map-workspaces@5.0.3
| `-- minimatch@10.2.2 deduped
+-- @sigstore/tuf@4.0.1
| `-- tuf-js@4.1.0
|   `-- @tufjs/models@4.1.0
|     `-- minimatch@10.2.2 deduped
+-- glob@13.0.6
| `-- minimatch@10.2.2 deduped
+-- libnpmdiff@8.1.3
| `-- minimatch@10.2.2 deduped
+-- minimatch@10.2.2
`-- npm-packlist@10.0.4
  `-- ignore-walk@8.0.0
    `-- minimatch@10.2.2 deduped