Skip to content

fix: address CVE-2026-27904 (ReDoS in minimatch via nested extglobs)#231

Open
Copilot wants to merge 4 commits into
mainfrom
copilot/fix-cve-2026-27904-issue
Open

fix: address CVE-2026-27904 (ReDoS in minimatch via nested extglobs)#231
Copilot wants to merge 4 commits into
mainfrom
copilot/fix-cve-2026-27904-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 17, 2026
edited
Loading

  • Identified CVE-2026-27904 as GHSA-23c5-xmqv-rm74 - ReDoS in minimatch via nested *() extglobs (high severity)
  • Updated package-lock.json with fixed minimatch versions (3.1.5, 9.0.9, 10.2.4)
  • Added minimatch overrides to package.json to enforce patched versions
  • Resolved merge conflicts with main branch — kept all security overrides from main (serialize-javascript, cookie, flatted, multer, qs, socket.io-parser, immutable, gatsby>webpack) plus our higher minimatch versions
  • All tests pass, no high/critical vulnerabilities remain
Original prompt

There is a high severity cve-2026-27904 in the site directory of this repo. Please address this issue

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

Copilot AI and others added 2 commits March 17, 2026 19:19
@mimiflynn
fix: address CVE-2026-27904 by updating minimatch to patched versions
7dc67a4 
Co-authored-by: mimiflynn <414934+mimiflynn@users.noreply.github.com>
@mimiflynn
fix: add minimatch overrides to package.json to enforce patched versions
cf7b88c 
Co-authored-by: mimiflynn <414934+mimiflynn@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix high severity CVE-2026-27904 in site directory fix: address CVE-2026-27904 (ReDoS in minimatch via nested extglobs) Mar 17, 2026
Copilot AI requested a review from mimiflynn March 17, 2026 19:24
@mimiflynn mimiflynn marked this pull request as ready for review March 24, 2026 19:25
@mimiflynn
Copy link
Copy Markdown
Member

mimiflynn commented Mar 24, 2026

@copilot fix merge conflicts

Merge remote-tracking branch 'origin/main' into copilot/fix-cve-2026-…
92a2424 
…27904-issue

# Conflicts:
#	site/package-lock.json
#	site/package.json
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 24, 2026
edited
Loading

@copilot fix merge conflicts

Merge conflicts resolved in 92a2424. The resolution keeps all security overrides from main (serialize-javascript, cookie, flatted, multer, qs, socket.io-parser, immutable, gatsby>webpack) while retaining the higher minimatch versions from this PR (3.1.5, 9.0.9, 10.2.4).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • unpkg.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node scripts/postinstall.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from mimiflynn March 24, 2026 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bingenito bingenito bingenito approved these changes

@poojanagvekar poojanagvekar Awaiting requested review from poojanagvekar

@rmoriarty rmoriarty Awaiting requested review from rmoriarty

+1 more reviewer

@mimiflynn mimiflynn mimiflynn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mimiflynn mimiflynn

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mimiflynn @bingenito