-
Notifications
You must be signed in to change notification settings - Fork 4.2k
Open
Labels
Bugthing that needs fixingthing that needs fixingNeeds Triageneeds review for next stepsneeds review for next steps
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
I'm sure we're all tired from the previous minimatch 10.2.1 CVE, seems 10.2.2 has two more. Oh well.
Expected Behavior
No response
Steps To Reproduce
Run any vuln scanner on a docker image with npm 11.11.0 (latest as of yesterday) , see CVE due to minimatch 10.2.2
e.g.
Node.js (node-pkg)
==================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌──────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ minimatch (package.json) │ CVE-2026-27903 │ HIGH │ fixed │ 10.2.2 │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 │ minimatch is a minimal matching utility for converting glob │
│ │ │ │ │ │ │ expression ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-27903 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-27904 │ │ │ │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 │ minimatch is a minimal matching utility for converting glob │
│ │ │ │ │ │ │ expression ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-27904 │
└──────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────┘
Environment
- npm: 11.11.0
- Node.js: LTS
- OS Name: Docker
- System Model Name:
- npm config:
; copy and paste output from `npm config ls` hereReactions are currently unavailable
Metadata
Metadata
Assignees
Labels
Bugthing that needs fixingthing that needs fixingNeeds Triageneeds review for next stepsneeds review for next steps