minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

[brendon]

minimatch that is included in the dependency tree by @tensorflow/tfjs-node via both @mapbox/node-pre-gyp and rimraf has a vulnerability: CVE-2026-26996

Essentially glob needs to be upgraded in rimraf (which is has in the latest version).

[avmohansai]

Hi @brendon ,
Thanks for raising this and this is already a known issue (rimraf > glob > minimatch) which is already been escalated to the team.
Thank you.

[brendon]

Thanks @avmohansai, good to hear :D

[brendon]

Looks like they've patched older versions of minimatch also: isaacs/minimatch#281