Skip to content

Fix minimatch ReDoS vulnerabilities via pnpm overrides#62796

Merged
pierrejeambrun merged 2 commits into
apache:mainfrom
astronomer:fix/dependabot-minimatch-redos-overrides
Mar 4, 2026
Merged

Fix minimatch ReDoS vulnerabilities via pnpm overrides#62796
pierrejeambrun merged 2 commits into
apache:mainfrom
astronomer:fix/dependabot-minimatch-redos-overrides

Conversation

@pierrejeambrun

Copy link
Copy Markdown
Member

Update pnpm overrides to patch minimatch ReDoS vulnerabilities (CVE for matchOne() combinatorial backtracking and nested extglobs) across three UI manifests:

  • airflow-core/src/airflow/ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
  • simple-auth-manager-ui: bump override from <10.2.1 to <10.2.3
  • react-plugin-template: bump override from <10.2.1 to <10.2.3

Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@vincbeck

vincbeck commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

Closing #62743 then

@pierrejeambrun pierrejeambrun force-pushed the fix/dependabot-minimatch-redos-overrides branch from 5f104de to 94a6b8d Compare March 3, 2026 16:16
@pierrejeambrun pierrejeambrun force-pushed the fix/dependabot-minimatch-redos-overrides branch from 94a6b8d to 354c352 Compare March 3, 2026 16:31
@pierrejeambrun

Copy link
Copy Markdown
Member Author

Backport PR #62805

@potiuk

potiuk commented Mar 3, 2026

Copy link
Copy Markdown
Member

Conflicts?

@pierrejeambrun

Copy link
Copy Markdown
Member Author

It's already backported. I'll solve conflicts tomorrow

Update pnpm overrides to patch minimatch ReDoS vulnerabilities
(CVE for matchOne() combinatorial backtracking and nested extglobs)
across three UI manifests:
- airflow-core/src/airflow/ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
- simple-auth-manager-ui: bump override from <10.2.1 to <10.2.3
- react-plugin-template: bump override from <10.2.1 to <10.2.3
The minimatch overrides used open-ended ranges (e.g. >=3.1.4) which
allowed pnpm to resolve 3.x consumers to 10.x, breaking the API
(minimatch 10.x uses named exports, 3.x uses a default function).
Constrain to >=3.1.4 <4.0.0 and >=9.0.7 <10.0.0 respectively.
@pierrejeambrun pierrejeambrun force-pushed the fix/dependabot-minimatch-redos-overrides branch from d88a3a8 to 830f10b Compare March 4, 2026 09:58
@vatsrahul1001 vatsrahul1001 added the type:misc/internal Changelog: Misc changes that should appear in change log label Mar 4, 2026
@pierrejeambrun pierrejeambrun merged commit 47ddbcc into apache:main Mar 4, 2026
245 of 248 checks passed
@pierrejeambrun pierrejeambrun deleted the fix/dependabot-minimatch-redos-overrides branch March 4, 2026 12:08
dominikhei pushed a commit to dominikhei/airflow that referenced this pull request Mar 11, 2026
* Fix minimatch ReDoS vulnerabilities via pnpm overrides

Update pnpm overrides to patch minimatch ReDoS vulnerabilities
(CVE for matchOne() combinatorial backtracking and nested extglobs)
across three UI manifests:
- airflow-core/src/airflow/ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
- simple-auth-manager-ui: bump override from <10.2.1 to <10.2.3
- react-plugin-template: bump override from <10.2.1 to <10.2.3

* Constrain minimatch overrides to major version ranges

The minimatch overrides used open-ended ranges (e.g. >=3.1.4) which
allowed pnpm to resolve 3.x consumers to 10.x, breaking the API
(minimatch 10.x uses named exports, 3.x uses a default function).
Constrain to >=3.1.4 <4.0.0 and >=9.0.7 <10.0.0 respectively.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type:misc/internal Changelog: Misc changes that should appear in change log

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants