Skip to content

update minimatch to v10#2306

Open
isaacs wants to merge 1 commit intoactions:mainfrom
isaacs:isaacs/update-minimatch
Open

update minimatch to v10#2306
isaacs wants to merge 1 commit intoactions:mainfrom
isaacs:isaacs/update-minimatch

Conversation

@isaacs
Copy link

@isaacs isaacs commented Feb 19, 2026

This fixes a ReDOS and gets onto a supported version

This fixes a ReDOS and gets onto a supported version
@MikeMcC399
Copy link

MikeMcC399 commented Feb 20, 2026

This would partially fix issue #2305 Edit: now closed

https://github.com/actions/toolkit/blob/main/README.md#note however says:

Note

Thank you for your interest in this GitHub repo, however, right now we are not taking contributions.

Hopefully maintainers will take account of the suggestion in any case.

@matherm-aboehm
Copy link

@MikeMcC399
At the same time https://github.com/actions/toolkit/security says:

If you discover a security issue in this repo, please submit it through the GitHub Security Bug Bounty

Thanks for helping make GitHub Actions safe for everyone.

Maybe it's better to report it there to get attention?

@MikeMcC399
Copy link

@matherm-aboehm

Maybe it's better to report it there to get attention?

That normally only applies to unpublished security issues and that is a different process. I would not expect going through that route would speed anything up.

This issue requires attention from maintainers of this repo. It's their responsibility to monitor the repo and to respond.

@MikeMcC399
Copy link

Also, I notice that minimatch@3.1.5 is now installed, which remediates the vulnerability. So this PR is still relevant for good housekeeping purposes, however the criticality is now lower.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants