From 9b3f0029a4db72a6edf94dea7e7edb3b1dc0c846 Mon Sep 17 00:00:00 2001 From: Tanmay Deep Sharma <32020192+tds-1@users.noreply.github.com> Date: Wed, 11 Mar 2026 16:48:48 +0530 Subject: [PATCH] fix: override minimatch to patch ReDoS vulnerability (#13769) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description Remediates high severity ReDoS vulnerability in minimatch (CVE-2026-27903) flagged by Vanta/Dependabot. minimatch is a transitive dev-only dependency (via eslint and tailwindcss build tooling) — not shipped to production. Added pnpm overrides to force patched versions: - minimatch@<4 → 3.1.5 - minimatch@>=9.0.0 <9.0.7 → 9.0.9 Closes: https://linear.app/chatwoot/issue/CW-6595/vanta-remediate-high-vulnerabilities-identified-in-packages-are ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) ## How Has This Been Tested? - No production impact — minimatch is only used in dev tooling, not at runtime - pnpm install completes successfully ## Checklist: - [ ] My code follows the style guidelines of this project - [ ] I have performed a self-review of my code - [ ] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --- package.json | 4 +++- pnpm-lock.yaml | 48 +++++++++++++++++++++--------------------------- 2 files changed, 24 insertions(+), 28 deletions(-) diff --git a/package.json b/package.json index d6e7d173e..0f74d03f4 100644 --- a/package.json +++ b/package.json @@ -160,7 +160,9 @@ "overrides": { "vite-node": "2.0.1", "vite": "5.4.21", - "vitest": "3.0.5" + "vitest": "3.0.5", + "minimatch@<4": "3.1.5", + "minimatch@>=9.0.0 <9.0.7": "9.0.9" } }, "lint-staged": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7fe154c07..abd4acdeb 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -8,6 +8,8 @@ overrides: vite-node: 2.0.1 vite: 5.4.21 vitest: 3.0.5 + minimatch@<4: 3.1.5 + minimatch@>=9.0.0 <9.0.7: 9.0.9 importers: @@ -1731,8 +1733,8 @@ packages: brace-expansion@1.1.11: resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==} - brace-expansion@2.0.1: - resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==} + brace-expansion@2.0.2: + resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==} braces@3.0.3: resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} @@ -3255,15 +3257,11 @@ packages: min-document@2.19.0: resolution: {integrity: sha512-9Wy1B3m3f66bPPmU5hdA4DR4PB2OfDU/+GS3yAB7IQozE3tqXaVv2zOjgla7MEGSRv95+ILmOuvhLkOK6wJtCQ==} - minimatch@3.1.2: - resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==} + minimatch@3.1.5: + resolution: {integrity: sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==} - minimatch@9.0.1: - resolution: {integrity: sha512-0jWhJpD/MdhPXwPuiRkCbfYfSKp2qnn2eOc279qI7f+osl/l+prKSrvhg157zSYvx/1nmgn2NqdT6k2Z7zSH9w==} - engines: {node: '>=16 || 14 >=14.17'} - - minimatch@9.0.5: - resolution: {integrity: sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==} + minimatch@9.0.9: + resolution: {integrity: sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==} engines: {node: '>=16 || 14 >=14.17'} minimist@1.2.8: @@ -5312,7 +5310,7 @@ snapshots: ignore: 5.2.4 import-fresh: 3.3.0 js-yaml: 4.1.0 - minimatch: 3.1.2 + minimatch: 3.1.5 strip-json-comments: 3.1.1 transitivePeerDependencies: - supports-color @@ -5326,7 +5324,7 @@ snapshots: ignore: 5.2.4 import-fresh: 3.3.0 js-yaml: 4.1.0 - minimatch: 3.1.2 + minimatch: 3.1.5 strip-json-comments: 3.1.1 transitivePeerDependencies: - supports-color @@ -5463,7 +5461,7 @@ snapshots: dependencies: '@humanwhocodes/object-schema': 2.0.3 debug: 4.3.5 - minimatch: 3.1.2 + minimatch: 3.1.5 transitivePeerDependencies: - supports-color @@ -6373,7 +6371,7 @@ snapshots: balanced-match: 1.0.2 concat-map: 0.0.1 - brace-expansion@2.0.1: + brace-expansion@2.0.2: dependencies: balanced-match: 1.0.2 @@ -6817,7 +6815,7 @@ snapshots: dependencies: '@one-ini/wasm': 0.1.1 commander: 10.0.1 - minimatch: 9.0.1 + minimatch: 9.0.9 semver: 7.6.3 ee-first@1.1.1: {} @@ -7084,7 +7082,7 @@ snapshots: hasown: 2.0.2 is-core-module: 2.15.1 is-glob: 4.0.3 - minimatch: 3.1.2 + minimatch: 3.1.5 object.fromentries: 2.0.8 object.groupby: 1.0.3 object.values: 1.2.0 @@ -7164,7 +7162,7 @@ snapshots: json-stable-stringify-without-jsonify: 1.0.1 levn: 0.4.1 lodash.merge: 4.6.2 - minimatch: 3.1.2 + minimatch: 3.1.5 natural-compare: 1.4.0 optionator: 0.9.3 strip-ansi: 6.0.1 @@ -7394,7 +7392,7 @@ snapshots: dependencies: foreground-child: 3.3.0 jackspeak: 3.4.3 - minimatch: 9.0.5 + minimatch: 9.0.9 minipass: 7.1.2 package-json-from-dist: 1.0.0 path-scurry: 1.11.1 @@ -7404,7 +7402,7 @@ snapshots: fs.realpath: 1.0.0 inflight: 1.0.6 inherits: 2.0.4 - minimatch: 3.1.2 + minimatch: 3.1.5 once: 1.4.0 path-is-absolute: 1.0.1 @@ -8143,17 +8141,13 @@ snapshots: dependencies: dom-walk: 0.1.2 - minimatch@3.1.2: + minimatch@3.1.5: dependencies: brace-expansion: 1.1.11 - minimatch@9.0.1: + minimatch@9.0.9: dependencies: - brace-expansion: 2.0.1 - - minimatch@9.0.5: - dependencies: - brace-expansion: 2.0.1 + brace-expansion: 2.0.2 minimist@1.2.8: {} @@ -9251,7 +9245,7 @@ snapshots: dependencies: '@istanbuljs/schema': 0.1.3 glob: 10.4.5 - minimatch: 9.0.5 + minimatch: 9.0.9 text-segmentation@1.0.3: dependencies: