Skip to content

chore: dependabot#164

Merged
grothem merged 2 commits intomainfrom
chore/deps
Mar 24, 2026
Merged

chore: dependabot#164
grothem merged 2 commits intomainfrom
chore/deps

Conversation

@grothem
Copy link
Copy Markdown
Contributor

@grothem grothem commented Mar 24, 2026
edited
Loading

closes AAVE-4022

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 24, 2026

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 69847b5.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

package-lock.json

NameVersionVulnerabilitySeverity
minimatch5.1.7minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressionshigh
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segmentshigh
Only included vulnerabilities with severity moderate or higher.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/minimatch 5.1.7 🟢 6.2
Details
CheckScoreReason
Maintained🟢 1023 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Code-Review⚠️ 0Found 1/28 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • package-lock.json

@linear
Copy link
Copy Markdown

linear bot commented Mar 24, 2026

AAVE-4022 [Vanta] Remediate "High vulnerabilities identified in packages are addressed (GitHub Repo)" for npm-minimatch >= 5.0.0, < 5.1.7/CVE-2026-26996 (protocol-subgraphs)

@grothem grothem merged commit 975b22e into main Mar 24, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@foodaka foodaka foodaka approved these changes

@AGMASO AGMASO AGMASO approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@grothem @foodaka @AGMASO