chore(deps): [security] bump minimatch from 3.1.2 to 3.1.5 in /npm

Bumps minimatch from 3.1.2 to 3.1.5. This update includes a security fix.

Vulnerabilities fixed

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Summary

minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:

/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/

When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.

Impact

Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:

• File search/filter UIs that accept glob patterns

... (truncated)

Patched versions: 3.1.3; 4.2.4; 5.1.7; 6.2.1; 7.4.7; 8.0.5; 9.0.6; 10.2.1 Affected versions: < 3.1.3; >= 4.0.0, < 4.2.4; >= 5.0.0, < 5.1.7; >= 6.0.0, < 6.2.1; >= 7.0.0, < 7.4.7; >= 8.0.0, < 8.0.5; >= 9.0.0, < 9.0.6; >= 10.0.0, < 10.2.1

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• @dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts