fix(security): Upgrade copy-webpack-plugin to 14.0.0

[unidevel]

Description

Vulnerable Library - copy-webpack-plugin-12.0.2.tgz

Path to dependency file: /presto-ui/src/package.json

Path to vulnerable library: /presto-ui/src/package.json

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (copy-webpack-plugin version)	Remediation Possible**
CVE-2026-33671	High	7.5	picomatch-2.3.1.tgz	Transitive	N/A*	❌
CVE-2026-34043	Medium	5.9	serialize-javascript-6.0.2.tgz	Transitive	N/A*	❌
CVE-2026-33672	Medium	5.3	picomatch-2.3.1.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-33671

Vulnerable Library - picomatch-2.3.1.tgz

Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.

Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz

Path to dependency file: /presto-ui/src/package.json

Path to vulnerable library: /presto-ui/src/package.json

Dependency Hierarchy:

• copy-webpack-plugin-12.0.2.tgz (Root Library)
  • fast-glob-3.3.3.tgz
    • micromatch-4.0.8.tgz
      • ❌ picomatch-2.3.1.tgz (Vulnerable Library)

Found in base branches: wxd-fedramp-baseline, elasticsearch-vulnerability, staging-rebase-pr, master

Vulnerability Details

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as "+()" and "()", especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to "picomatch" for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to "picomatch". Possible mitigations include disabling extglob support for untrusted patterns by using "noextglob: true", rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as "+()" and "()", enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.

Publish Date: 2026-03-26

URL: CVE-2026-33671

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: micromatch/picomatch@5eceecd

Release Date: 2026-03-25

Fix Resolution: https://github.com/micromatch/picomatch.git - 3.0.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 2.3.2

CVE-2026-34043

Vulnerable Library - serialize-javascript-6.0.2.tgz

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz

Path to dependency file: /presto-ui/src/package.json

Path to vulnerable library: /presto-ui/src/package.json

Dependency Hierarchy:

• copy-webpack-plugin-12.0.2.tgz (Root Library)
  • ❌ serialize-javascript-6.0.2.tgz (Vulnerable Library)

Found in base branches: wxd-fedramp-baseline, elasticsearch-vulnerability, staging-rebase-pr, master

Vulnerability Details

Impact What kind of vulnerability is it? It is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from "Array.prototype" but has a very large "length" property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. Who is impacted? Applications that use "serialize-javascript" to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to Prototype Pollution or handles untrusted data via YAML Deserialization, as these could be used to inject the malicious object. Patches Has the problem been patched? Yes, the issue has been patched by replacing "instanceof Array" checks with "Array.isArray()" and using "Object.keys()" for sparse array detection. What versions should users upgrade to? Users should upgrade to "v7.0.5" or later. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? There is no direct code-level workaround within the library itself. However, users can mitigate the risk by: * Validating and sanitizing all input before passing it to the "serialize()" function. * Ensuring the environment is protected against Prototype Pollution. * Upgrading to "v7.0.5" as soon as possible. Acknowledgements Serialize JavaScript thanks Tomer Aberbach (@TomerAberbach) for discovering and privately disclosing this issue.

Publish Date: 2026-03-28

URL: CVE-2026-34043

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yahoo/serialize-javascript@f147e90

Release Date: 2026-03-28

Fix Resolution: https://github.com/yahoo/serialize-javascript.git - v7.0.5

CVE-2026-33672

Vulnerable Library - picomatch-2.3.1.tgz

Blazing fast and accurate glob matcher written in JavaScript, with no dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.

Library home page: https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz

Path to dependency file: /presto-ui/src/package.json

Path to vulnerable library: /presto-ui/src/package.json

Dependency Hierarchy:

• copy-webpack-plugin-12.0.2.tgz (Root Library)
  • fast-glob-3.3.3.tgz
    • micromatch-4.0.8.tgz
      • ❌ picomatch-2.3.1.tgz (Vulnerable Library)

Found in base branches: wxd-fedramp-baseline, elasticsearch-vulnerability, staging-rebase-pr, master

Vulnerability Details

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the "POSIX_REGEX_SOURCE" object. Because the object inherits from "Object.prototype", specially crafted POSIX bracket expressions (e.g., "[[:constructor:]]") can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected "picomatch" versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like "[[:...:]]"; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying "POSIX_REGEX_SOURCE" to use a null prototype.

Publish Date: 2026-03-26

URL: CVE-2026-33672

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: micromatch/picomatch@4516eb5

Release Date: 2026-03-25

Fix Resolution: https://github.com/micromatch/picomatch.git - 2.3.2,https://github.com/micromatch/picomatch.git - 4.0.4,https://github.com/micromatch/picomatch.git - 3.0.2

Motivation and Context

Impact

UI build

Test Plan

Test manually

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.
• If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== NO RELEASE NOTE ==

Summary by Sourcery

Enhancements:

• Update the copy-webpack-plugin dependency in presto-ui from version 12.x to 14.x to pull in patched transitive libraries and improve security posture.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Upgrades the presto-ui build dependency copy-webpack-plugin from 12.0.2 to 14.0.0 and refreshes the corresponding Yarn lockfile entries to address reported security vulnerabilities in transitive dependencies.

Flow diagram for dependency hierarchy before and after copy-webpack-plugin upgrade

flowchart TD
  PrestoUI["presto-ui src package.json"]

  subgraph Before_upgrade
    copywp12["copy-webpack-plugin 12.0.2"]
    fastglob_old["fast-glob 3.3.3"]
    micromatch_old["micromatch 4.0.8"]
    picomatch_vuln["picomatch 2.3.1 (vulnerable)"]
    serialize_vuln["serialize-javascript 6.0.2 (vulnerable)"]

    PrestoUI --> copywp12
    copywp12 --> fastglob_old
    fastglob_old --> micromatch_old
    micromatch_old --> picomatch_vuln
    copywp12 --> serialize_vuln
  end

  subgraph After_upgrade
    copywp14["copy-webpack-plugin 14.0.0"]
    fastglob_new["fast-glob (updated, safe)"]
    micromatch_new["micromatch (updated, safe)"]
    picomatch_safe["picomatch (fixed)"]
    serialize_safe["serialize-javascript (fixed)"]

    PrestoUI --> copywp14
    copywp14 --> fastglob_new
    fastglob_new --> micromatch_new
    micromatch_new --> picomatch_safe
    copywp14 --> serialize_safe
  end

Loading

File-Level Changes

Change	Details	Files
Upgrade copy-webpack-plugin to version 14.0.0 for the presto-ui build and regenerate lockfile entries.	Update the copy-webpack-plugin dependency version specification from ^12.0.2 to ^14.0.0 in the presto-ui package manifest. Refresh yarn.lock so that resolved versions of copy-webpack-plugin and its transitive dependencies align with the new major version and include upstream security fixes.	presto-ui/src/package.json presto-ui/src/yarn.lock

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[prestodb-ci]

@unidevel imported this issue as lakehouse/presto #27458

[sourcery-ai]

Hey - I've left some high level feedback:

• Since this is a major-version bump of copy-webpack-plugin, double-check the v13/v14 migration notes to ensure existing webpack config options (patterns, hooks, cache behavior, etc.) still behave as expected in the UI build.
• Consider pinning to an exact 14.x version instead of using a caret if you want to minimize unexpected future changes in build behavior from subsequent 14.x releases for this security-sensitive dependency.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Since this is a major-version bump of copy-webpack-plugin, double-check the v13/v14 migration notes to ensure existing webpack config options (patterns, hooks, cache behavior, etc.) still behave as expected in the UI build.
- Consider pinning to an exact 14.x version instead of using a caret if you want to minimize unexpected future changes in build behavior from subsequent 14.x releases for this security-sensitive dependency.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[nishithakbhaskaran]

Thanks for the fix @unidevel.

[yhwang]

/LGTM