fix(misc): bump minimatch to 10.2.1 to address CVE-2026-26996#34509
Merged
Conversation
leosvelperez
requested review from
a team,
FrozenPandaz and
vsavkin
as code owners
✅ Deploy Preview for nx-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for nx-dev ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
View your CI Pipeline Execution ↗ for commit d06b3d8
☁️ Nx Cloud last updated this comment at |
![nx-cloud[bot]](https://avatars.githubusercontent.com/in/80458?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
leosvelperez
changed the title
FrozenPandaz
approved these changes
Feb 19, 2026
|
i think this PR might also fix #32440? the |
Bump ts-morph to ^27.0.2 so publishable artifacts consume @ts-morph/common@0.28.1 and minimatch@10.2.1 transitively.
leosvelperez
force-pushed
the
gh-34507
branch
from
6acfe1e to
945a818
Compare
Bump ts-morph to ^27.0.2 so publishable artifacts consume @ts-morph/common@0.28.1 and minimatch@10.2.1 transitively. [Self-Healing CI Rerun]
Contributor
There was a problem hiding this comment.
Nx Cloud has identified a flaky task in your failed CI:
🔂 Since the failure was identified as flaky, we triggered a CI rerun by adding an empty commit to this branch.
🎓 Learn more about Self-Healing CI on nx.dev
FrozenPandaz
added a commit
that referenced
this pull request
Feb 26, 2026
## Current Behavior Several Nx packages directly depend on a minimatch version with a high-severity vulnerability (GHSA-3ppc-4f35-3m26). ## Expected Behavior Several Nx packages should depend directly on a minimatch version that does not include the reported high-severity vulnerability. Note: unsafe `minimatch` versions can still be pulled in transitively. Upstream deps need to be updated, and then we need to update the Nx packages to newer versions. ## Related Issue(s) Fixes #34507 --------- Co-authored-by: Jason Jean <jasonjean1993@gmail.com> (cherry picked from commit 731db47)
Contributor
|
This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Current Behavior
Several Nx packages directly depend on a minimatch version with a high-severity vulnerability (GHSA-3ppc-4f35-3m26).
Expected Behavior
Several Nx packages should depend directly on a minimatch version that does not include the reported high-severity vulnerability.
Note: unsafe
minimatchversions can still be pulled in transitively. Upstream deps need to be updated, and then we need to update the Nx packages to newer versions.Related Issue(s)
Fixes #34507
Fixes #32440