fix: add minimatch resolution to patch ReDoS vulnerability (CVE-2026-…#2917
fix: add minimatch resolution to patch ReDoS vulnerability (CVE-2026-…#2917
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR addresses a reported ReDoS vulnerability by forcing an updated minimatch version via Yarn resolutions, updating the lockfile accordingly.
Changes:
- Add a Yarn
resolutionsentry to require a patchedminimatchversion. - Regenerate
yarn.lock, resulting inminimatchresolving to10.2.4and updating related transitive deps (brace-expansion,balanced-match) and removing no-longer-needed transitive deps (concat-map).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
package.json |
Adds a minimatch resolution intended to ensure a non-vulnerable version is installed. |
yarn.lock |
Reflects the new dependency graph, including the minimatch major upgrade and updated transitive dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "resolutions": { | ||
| "h3": "^1.15.5" | ||
| "h3": "^1.15.5", | ||
| "minimatch": ">=5.1.7" |
There was a problem hiding this comment.
The new Yarn resolution uses an open-ended range (">=5.1.7"), which can silently pull in future major versions of minimatch and change behavior without any code changes. To keep installs deterministic and reduce upgrade risk, consider pinning this to a specific version (or at least a single major line such as "^5.1.7") that you’ve validated with the current toolchain.
| "minimatch": ">=5.1.7" | |
| "minimatch": "^5.1.7" |
| "resolutions": { | ||
| "h3": "^1.15.5" | ||
| "h3": "^1.15.5", | ||
| "minimatch": ">=5.1.7" | ||
| }, |
There was a problem hiding this comment.
PR description still contains placeholder items (e.g., "Fixes XYZ bug" / "Adds XYZ feature"), but this change appears to be a dependency-resolution security patch for minimatch. Please update the PR description to reflect the actual change (CVE, affected surface, and what was tested) so reviewers/release notes aren’t misleading.
|
📦 Next.js Bundle Analysis for aave-uiThis analysis was generated by the Next.js Bundle Analysis action. 🤖 One Page Changed SizeThe following page changed size from the code in this PR compared to its base branch:
DetailsOnly the gzipped size is provided here based on an expert tip. First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If Any third party scripts you have added directly to your app using the Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this. |
…26996)
General Changes
Developer Notes
Add any notes here that may be helpful for reviewers.
Reviewer Checklist
Please ensure you, as the reviewer(s), have gone through this checklist to ensure that the code changes are ready to ship safely and to help mitigate any downstream issues that may occur.
.env.examplefile as well as the pertinant.github/actions/*files