From 9fdb064e95d2922d045d7cfd75a810cf56b675c2 Mon Sep 17 00:00:00 2001 From: Rob De Feo Date: Wed, 30 Jul 2025 19:57:23 +0200 Subject: [PATCH 1/5] feat: upgrade minimatch to v10.0.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update minimatch dependency from ~3.0.3 to 10.0.3 across monorepo - Update @types/minimatch from 3.0.5 to 6.0.0 - Fix breaking API changes: switch from default import to named import - api-extractor: `import minimatch from 'minimatch'` → `import { minimatch } from 'minimatch'` - webpack4-localization-plugin: same import pattern update - Centralize version management via common-versions.json preferredVersions - Update lock files and repo state hashes for both subspaces Breaking change: minimatch v10 uses named exports instead of default export --- apps/api-extractor/package.json | 4 +- apps/api-extractor/src/collector/Collector.ts | 2 +- .../build-tests-subspace/pnpm-lock.yaml | 21 ++- .../build-tests-subspace/repo-state.json | 4 +- .../subspaces/default/common-versions.json | 6 +- .../config/subspaces/default/pnpm-lock.yaml | 152 +++++++++--------- .../config/subspaces/default/repo-state.json | 2 +- libraries/package-extractor/package.json | 4 +- .../webpack4-localization-plugin/package.json | 4 +- .../src/WebpackConfigurationUpdater.ts | 2 +- 10 files changed, 111 insertions(+), 90 deletions(-) diff --git a/apps/api-extractor/package.json b/apps/api-extractor/package.json index cfb1fe5c166..fb97bbf42be 100644 --- a/apps/api-extractor/package.json +++ b/apps/api-extractor/package.json @@ -45,7 +45,7 @@ "@rushstack/terminal": "workspace:*", "@rushstack/ts-command-line": "workspace:*", "lodash": "~4.17.15", - "minimatch": "~3.0.3", + "minimatch": "10.0.3", "resolve": "~1.22.1", "semver": "~7.5.4", "source-map": "~0.6.1", @@ -54,7 +54,7 @@ "devDependencies": { "@rushstack/heft": "0.74.1", "@types/lodash": "4.14.116", - "@types/minimatch": "3.0.5", + "@types/minimatch": "6.0.0", "@types/resolve": "1.20.2", "@types/semver": "7.5.0", "decoupled-local-node-rig": "workspace:*", diff --git a/apps/api-extractor/src/collector/Collector.ts b/apps/api-extractor/src/collector/Collector.ts index 2f006194e6b..8f6d74320ed 100644 --- a/apps/api-extractor/src/collector/Collector.ts +++ b/apps/api-extractor/src/collector/Collector.ts @@ -11,7 +11,7 @@ import { PackageName } from '@rushstack/node-core-library'; import { ReleaseTag } from '@microsoft/api-extractor-model'; -import minimatch from 'minimatch'; +import { minimatch } from 'minimatch'; import { ExtractorMessageId } from '../api/ExtractorMessageId'; diff --git a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml index 60e913f8679..cae489e4238 100644 --- a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml +++ b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml @@ -559,6 +559,16 @@ packages: engines: {node: '>=18.18'} dev: true + /@isaacs/balanced-match@4.0.1: + resolution: {integrity: sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==} + engines: {node: 20 || >=22} + + /@isaacs/brace-expansion@5.0.0: + resolution: {integrity: sha512-ZT55BDLV0yv0RBm2czMiZ+SqCGO7AvmOM3G/w2xhVPH+te0aKgFjmBvGlL1dH+ql2tgGO3MVrbb3jCKyvpgnxA==} + engines: {node: 20 || >=22} + dependencies: + '@isaacs/balanced-match': 4.0.1 + /@istanbuljs/load-nyc-config@1.1.0: resolution: {integrity: sha512-VjeHSlIzpv/NyD3N0YuHfXOPDIixcA1q2ZV98wsMqcYlPmv2n3Yb2lYP9XMElnaFVXg5A7YLTeLu6V84uQDjmQ==} engines: {node: '>=8'} @@ -4763,10 +4773,11 @@ packages: resolution: {integrity: sha512-I9jwMn07Sy/IwOj3zVkVik2JTvgpaykDZEigL6Rx6N9LbMywwUSMtxET+7lVoDLLd3O3IXwJwvuuns8UB/HeAg==} engines: {node: '>=4'} - /minimatch@3.0.8: - resolution: {integrity: sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==} + /minimatch@10.0.3: + resolution: {integrity: sha512-IPZ167aShDZZUMdRk66cyQAW3qr0WzbHkPdMYa8bzZhlHhO3jALbKdxcaak7W9FfT2rZNpQuUu4Od7ILEpXSaw==} + engines: {node: 20 || >=22} dependencies: - brace-expansion: 1.1.11 + '@isaacs/brace-expansion': 5.0.0 /minimatch@3.1.2: resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==} @@ -6629,7 +6640,7 @@ packages: '@rushstack/terminal': file:../../../libraries/terminal(@types/node@20.17.19) '@rushstack/ts-command-line': file:../../../libraries/ts-command-line(@types/node@20.17.19) lodash: 4.17.21 - minimatch: 3.0.8 + minimatch: 10.0.3 resolve: 1.22.8 semver: 7.5.4 source-map: 0.6.1 @@ -7005,7 +7016,7 @@ packages: '@rushstack/ts-command-line': file:../../../libraries/ts-command-line(@types/node@20.17.19) ignore: 5.1.9 jszip: 3.8.0 - minimatch: 3.0.8 + minimatch: 10.0.3 npm-packlist: 2.1.5 semver: 7.5.4 transitivePeerDependencies: diff --git a/common/config/subspaces/build-tests-subspace/repo-state.json b/common/config/subspaces/build-tests-subspace/repo-state.json index a2028f5c44c..dc525a5fee0 100644 --- a/common/config/subspaces/build-tests-subspace/repo-state.json +++ b/common/config/subspaces/build-tests-subspace/repo-state.json @@ -1,6 +1,6 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "4bb96db65ecb99ad3935e230ad704251a845e134", + "pnpmShrinkwrapHash": "05243847c45ec913c83e0cb41b32a208240813a6", "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9", - "packageJsonInjectedDependenciesHash": "6988efb70a621746799ba9bb6049c05da8fa6752" + "packageJsonInjectedDependenciesHash": "2a1e82dc3cd78f0ec969c8e97399c6aaaee4b2e7" } diff --git a/common/config/subspaces/default/common-versions.json b/common/config/subspaces/default/common-versions.json index 9822255f852..2f923e84ebf 100644 --- a/common/config/subspaces/default/common-versions.json +++ b/common/config/subspaces/default/common-versions.json @@ -32,7 +32,11 @@ "typescript": "~5.8.2", // This should be the ESLint version that's used to build most of the projects in the repo. - "eslint": "~9.25.1" + "eslint": "~9.25.1", + + // Updated minimatch and its types to latest major version to resolve ReDoS vulnerability + "minimatch": "10.0.3", + "@types/minimatch": "6.0.0" }, /** diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index 44e89ad3432..b00d623a655 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -80,8 +80,8 @@ importers: specifier: ~4.17.15 version: 4.17.21 minimatch: - specifier: ~3.0.3 - version: 3.0.8 + specifier: 10.0.3 + version: 10.0.3 resolve: specifier: ~1.22.1 version: 1.22.8 @@ -102,8 +102,8 @@ importers: specifier: 4.14.116 version: 4.14.116 '@types/minimatch': - specifier: 3.0.5 - version: 3.0.5 + specifier: 6.0.0 + version: 6.0.0 '@types/resolve': specifier: 1.20.2 version: 1.20.2 @@ -3487,8 +3487,8 @@ importers: specifier: ~3.8.0 version: 3.8.0 minimatch: - specifier: ~3.0.3 - version: 3.0.8 + specifier: 10.0.3 + version: 10.0.3 npm-packlist: specifier: ~2.1.2 version: 2.1.5 @@ -3509,8 +3509,8 @@ importers: specifier: 7.1.1 version: 7.1.1 '@types/minimatch': - specifier: 3.0.5 - version: 3.0.5 + specifier: 6.0.0 + version: 6.0.0 '@types/npm-packlist': specifier: ~1.1.1 version: 1.1.2 @@ -4625,6 +4625,40 @@ importers: specifier: workspace:* version: link:../../rigs/local-node-rig + ../../../vscode-extensions/debug-certificate-manager-vscode-extension: + dependencies: + '@rushstack/debug-certificate-manager': + specifier: workspace:* + version: link:../../libraries/debug-certificate-manager + '@rushstack/node-core-library': + specifier: workspace:* + version: link:../../libraries/node-core-library + '@rushstack/terminal': + specifier: workspace:* + version: link:../../libraries/terminal + '@rushstack/vscode-shared': + specifier: workspace:* + version: link:../vscode-shared + tslib: + specifier: ~2.3.1 + version: 2.3.1 + devDependencies: + '@rushstack/heft': + specifier: workspace:* + version: link:../../apps/heft + '@rushstack/heft-vscode-extension-rig': + specifier: workspace:* + version: link:../../rigs/heft-vscode-extension-rig + '@types/node': + specifier: 20.17.19 + version: 20.17.19 + '@types/vscode': + specifier: ^1.63.0 + version: 1.87.0 + '@types/webpack-env': + specifier: 1.18.8 + version: 1.18.8 + ../../../vscode-extensions/rush-vscode-command-webview: dependencies: '@fluentui/react': @@ -4744,40 +4778,6 @@ importers: specifier: ^10.1.0 version: 10.4.0 - ../../../vscode-extensions/debug-certificate-manager-vscode-extension: - dependencies: - '@rushstack/debug-certificate-manager': - specifier: workspace:* - version: link:../../libraries/debug-certificate-manager - '@rushstack/node-core-library': - specifier: workspace:* - version: link:../../libraries/node-core-library - '@rushstack/terminal': - specifier: workspace:* - version: link:../../libraries/terminal - '@rushstack/vscode-shared': - specifier: workspace:* - version: link:../vscode-shared - tslib: - specifier: ~2.3.1 - version: 2.3.1 - devDependencies: - '@rushstack/heft': - specifier: workspace:* - version: link:../../apps/heft - '@rushstack/heft-vscode-extension-rig': - specifier: workspace:* - version: link:../../rigs/heft-vscode-extension-rig - '@types/node': - specifier: 20.17.19 - version: 20.17.19 - '@types/vscode': - specifier: ^1.63.0 - version: 1.87.0 - '@types/webpack-env': - specifier: 1.18.8 - version: 1.18.8 - ../../../vscode-extensions/vscode-shared: dependencies: '@rushstack/node-core-library': @@ -5024,8 +5024,8 @@ importers: specifier: 1.4.2 version: 1.4.2 minimatch: - specifier: ~3.0.3 - version: 3.0.8 + specifier: 10.0.3 + version: 10.0.3 devDependencies: '@rushstack/heft': specifier: workspace:* @@ -5037,8 +5037,8 @@ importers: specifier: 1.1.3 version: 1.1.3 '@types/minimatch': - specifier: 3.0.5 - version: 3.0.5 + specifier: 6.0.0 + version: 6.0.0 '@types/node': specifier: 20.17.19 version: 20.17.19 @@ -8028,7 +8028,7 @@ packages: import-fresh: 3.3.0 js-yaml: 3.13.1 lodash: 4.17.21 - minimatch: 3.0.8 + minimatch: 3.1.2 strip-json-comments: 3.1.1 transitivePeerDependencies: - supports-color @@ -8045,7 +8045,7 @@ packages: ignore: 4.0.6 import-fresh: 3.3.0 js-yaml: 3.13.1 - minimatch: 3.0.8 + minimatch: 3.1.2 strip-json-comments: 3.1.1 transitivePeerDependencies: - supports-color @@ -9593,7 +9593,7 @@ packages: dependencies: '@humanwhocodes/object-schema': 1.2.1 debug: 4.4.0(supports-color@8.1.1) - minimatch: 3.0.8 + minimatch: 3.1.2 transitivePeerDependencies: - supports-color dev: true @@ -9605,7 +9605,7 @@ packages: dependencies: '@humanwhocodes/object-schema': 2.0.2 debug: 4.4.0(supports-color@8.1.1) - minimatch: 3.0.8 + minimatch: 3.1.2 transitivePeerDependencies: - supports-color dev: true @@ -9617,7 +9617,7 @@ packages: dependencies: '@humanwhocodes/object-schema': 1.2.1 debug: 4.4.0(supports-color@8.1.1) - minimatch: 3.0.8 + minimatch: 3.1.2 transitivePeerDependencies: - supports-color dev: true @@ -9629,7 +9629,7 @@ packages: dependencies: '@humanwhocodes/object-schema': 1.2.1 debug: 4.4.0(supports-color@8.1.1) - minimatch: 3.0.8 + minimatch: 3.1.2 transitivePeerDependencies: - supports-color dev: true @@ -9663,14 +9663,12 @@ packages: /@isaacs/balanced-match@4.0.1: resolution: {integrity: sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==} engines: {node: 20 || >=22} - dev: false /@isaacs/brace-expansion@5.0.0: resolution: {integrity: sha512-ZT55BDLV0yv0RBm2czMiZ+SqCGO7AvmOM3G/w2xhVPH+te0aKgFjmBvGlL1dH+ql2tgGO3MVrbb3jCKyvpgnxA==} engines: {node: 20 || >=22} dependencies: '@isaacs/balanced-match': 4.0.1 - dev: false /@isaacs/cliui@8.0.2: resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} @@ -13771,7 +13769,7 @@ packages: resolution: {integrity: sha512-1Bh06cbWJUHMC97acuD6UMG29nMt0Aqz1vF3guLfG+kHHJhy3AyohZFFxYk2f7Q1SQIrNwvncxAE0N/9s70F2w==} dependencies: '@types/events': 3.0.3 - '@types/minimatch': 3.0.5 + '@types/minimatch': 6.0.0 '@types/node': 17.0.41 dev: true @@ -13931,6 +13929,14 @@ packages: /@types/minimatch@3.0.5: resolution: {integrity: sha512-Klz949h02Gz2uZCMGwDUSDS1YBlTdDDgbWHi+81l29tQALUtvz4rAYi5uoVhE5Lagoq6DeqAUlbrHvW/mXDgdQ==} + dev: false + + /@types/minimatch@6.0.0: + resolution: {integrity: sha512-zmPitbQ8+6zNutpwgcQuLcsEpn/Cj54Kbn7L5pX0Os5kdWplB7xPgEh/g+SWOB/qmows2gpuCaPyduq8ZZRnxA==} + deprecated: This is a stub types definition. minimatch provides its own type definitions, so you do not need this installed. + dependencies: + minimatch: 10.0.3 + dev: true /@types/minimist@1.2.5: resolution: {integrity: sha512-hov8bUuiLiyFPGyFPE1lwWhmzYbirOXQNNo40+y3zow8aFVTeyn3VWL0VFFfdNddA8S4Vf0Tc062rzyNr7Paag==} @@ -15043,7 +15049,7 @@ packages: leven: 3.1.0 markdown-it: 14.1.0 mime: 1.6.0 - minimatch: 3.0.8 + minimatch: 3.1.2 parse-semver: 1.1.1 read: 1.0.7 semver: 7.5.4 @@ -19605,7 +19611,7 @@ packages: json-stable-stringify-without-jsonify: 1.0.1 levn: 0.4.1 lodash: 4.17.21 - minimatch: 3.0.8 + minimatch: 3.1.2 natural-compare: 1.4.0 optionator: 0.9.3 progress: 2.0.3 @@ -19655,7 +19661,7 @@ packages: json-stable-stringify-without-jsonify: 1.0.1 levn: 0.4.1 lodash.merge: 4.6.2 - minimatch: 3.0.8 + minimatch: 3.1.2 natural-compare: 1.4.0 optionator: 0.9.3 progress: 2.0.3 @@ -19701,7 +19707,7 @@ packages: json-stable-stringify-without-jsonify: 1.0.1 levn: 0.4.1 lodash: 4.17.21 - minimatch: 3.0.8 + minimatch: 3.1.2 natural-compare: 1.4.0 optionator: 0.9.3 progress: 2.0.3 @@ -19845,7 +19851,7 @@ packages: json-stable-stringify-without-jsonify: 1.0.1 levn: 0.4.1 lodash.merge: 4.6.2 - minimatch: 3.0.8 + minimatch: 3.1.2 natural-compare: 1.4.0 optionator: 0.9.3 progress: 2.0.3 @@ -20634,7 +20640,7 @@ packages: '@babel/code-frame': 7.23.5 chalk: 2.4.2 micromatch: 3.1.10 - minimatch: 3.0.8 + minimatch: 3.1.2 semver: 5.7.2 tapable: 1.1.3 worker-rpc: 0.1.1 @@ -20664,7 +20670,7 @@ packages: fs-extra: 9.1.0 glob: 7.2.3 memfs: 3.4.3 - minimatch: 3.0.8 + minimatch: 3.1.2 schema-utils: 2.7.0 semver: 7.5.4 tapable: 1.1.3 @@ -21072,7 +21078,7 @@ packages: fs.realpath: 1.0.0 inflight: 1.0.6 inherits: 2.0.4 - minimatch: 3.0.8 + minimatch: 3.1.2 once: 1.4.0 path-is-absolute: 1.0.1 dev: true @@ -21808,7 +21814,7 @@ packages: /ignore-walk@3.0.4: resolution: {integrity: sha512-PY6Ii8o1jMRA1z4F2hRkH/xN59ox43DavKvD3oDpfurRlOJyAHpifIwpbdv1n4jt4ov0jSpw3kQ4GhJnpBL6WQ==} dependencies: - minimatch: 3.0.8 + minimatch: 3.1.2 dev: false /ignore@4.0.6: @@ -24339,12 +24345,12 @@ packages: engines: {node: 20 || >=22} dependencies: '@isaacs/brace-expansion': 5.0.0 - dev: false /minimatch@3.0.8: resolution: {integrity: sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==} dependencies: brace-expansion: 1.1.11 + dev: false /minimatch@3.1.2: resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==} @@ -24572,7 +24578,7 @@ packages: array-differ: 3.0.0 array-union: 2.1.0 arrify: 2.0.1 - minimatch: 3.0.8 + minimatch: 3.1.2 dev: false /mute-stream@0.0.8: @@ -24683,7 +24689,7 @@ packages: resolution: {integrity: sha512-tmPX422rYgofd4epzrNoOXiE8XFZYOcCq1vD7MAXCDO+O+zndlA2ztdKKMa+EeuBG5tHETpr4ml4RGgpqDCCAg==} engines: {node: '>= 0.10.5'} dependencies: - minimatch: 3.0.8 + minimatch: 3.1.2 dev: true /node-emoji@1.11.0: @@ -24832,7 +24838,7 @@ packages: is-ci: 2.0.0 lodash: 4.17.21 meow: 9.0.0 - minimatch: 3.0.8 + minimatch: 3.1.2 node-emoji: 1.11.0 ora: 5.4.1 package-json: 7.0.0 @@ -29010,7 +29016,7 @@ packages: dependencies: '@istanbuljs/schema': 0.1.3 glob: 7.2.3 - minimatch: 3.0.8 + minimatch: 3.1.2 /text-table@0.2.0: resolution: {integrity: sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==} @@ -29292,7 +29298,7 @@ packages: diff: 4.0.2 glob: 7.2.3 js-yaml: 3.13.1 - minimatch: 3.0.8 + minimatch: 3.1.2 mkdirp: 0.5.6 resolve: 1.22.8 semver: 5.7.2 @@ -29315,7 +29321,7 @@ packages: diff: 4.0.2 glob: 7.2.3 js-yaml: 3.13.1 - minimatch: 3.0.8 + minimatch: 3.1.2 mkdirp: 0.5.6 resolve: 1.22.8 semver: 5.7.2 @@ -29338,7 +29344,7 @@ packages: diff: 4.0.2 glob: 7.2.3 js-yaml: 3.13.1 - minimatch: 3.0.8 + minimatch: 3.1.2 mkdirp: 0.5.6 resolve: 1.22.8 semver: 5.7.2 @@ -29361,7 +29367,7 @@ packages: diff: 4.0.2 glob: 7.2.3 js-yaml: 3.13.1 - minimatch: 3.0.8 + minimatch: 3.1.2 mkdirp: 0.5.6 resolve: 1.22.8 semver: 5.7.2 diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index a37beb284e1..453c4598e65 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "f6bf795f5f2473bc7e2559a2b38a80fec71aaa39", + "pnpmShrinkwrapHash": "eee46b88b1983b92927ea82ac34e23f1f19dd7b1", "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9" } diff --git a/libraries/package-extractor/package.json b/libraries/package-extractor/package.json index 54819c5637b..b6fa8e62c12 100644 --- a/libraries/package-extractor/package.json +++ b/libraries/package-extractor/package.json @@ -23,7 +23,7 @@ "@rushstack/ts-command-line": "workspace:*", "ignore": "~5.1.6", "jszip": "~3.8.0", - "minimatch": "~3.0.3", + "minimatch": "10.0.3", "npm-packlist": "~2.1.2", "semver": "~7.5.4" }, @@ -33,7 +33,7 @@ "@rushstack/heft": "workspace:*", "@rushstack/webpack-preserve-dynamic-require-plugin": "workspace:*", "@types/glob": "7.1.1", - "@types/minimatch": "3.0.5", + "@types/minimatch": "6.0.0", "@types/npm-packlist": "~1.1.1", "eslint": "~9.25.1", "webpack": "~5.98.0", diff --git a/webpack/webpack4-localization-plugin/package.json b/webpack/webpack4-localization-plugin/package.json index f88881c77f5..c3c05361cda 100644 --- a/webpack/webpack4-localization-plugin/package.json +++ b/webpack/webpack4-localization-plugin/package.json @@ -37,13 +37,13 @@ "@rushstack/terminal": "workspace:*", "@types/tapable": "1.0.6", "loader-utils": "1.4.2", - "minimatch": "~3.0.3" + "minimatch": "10.0.3" }, "devDependencies": { "@rushstack/heft": "workspace:*", "@rushstack/set-webpack-public-path-plugin": "^4.1.16", "@types/loader-utils": "1.1.3", - "@types/minimatch": "3.0.5", + "@types/minimatch": "6.0.0", "@types/node": "20.17.19", "@types/webpack": "4.41.32", "eslint": "~9.25.1", diff --git a/webpack/webpack4-localization-plugin/src/WebpackConfigurationUpdater.ts b/webpack/webpack4-localization-plugin/src/WebpackConfigurationUpdater.ts index ef08062ece4..02f27a2546e 100644 --- a/webpack/webpack4-localization-plugin/src/WebpackConfigurationUpdater.ts +++ b/webpack/webpack4-localization-plugin/src/WebpackConfigurationUpdater.ts @@ -1,7 +1,7 @@ // Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license. // See LICENSE in the project root for license information. -import minimatch from 'minimatch'; +import { minimatch } from 'minimatch'; import * as path from 'path'; import type * as Webpack from 'webpack'; import type * as SetPublicPathPluginPackageType from '@rushstack/set-webpack-public-path-plugin'; From f16d9d3dc4c5b02617df7f5d56dee755cc324956 Mon Sep 17 00:00:00 2001 From: Rob De Feo Date: Wed, 30 Jul 2025 20:12:50 +0200 Subject: [PATCH 2/5] add change log --- .../upgrade-minimatch-to-v10_2025-07-30-18-10.json | 10 ++++++++++ .../upgrade-minimatch-to-v10_2025-07-30-18-10.json | 10 ++++++++++ .../upgrade-minimatch-to-v10_2025-07-30-18-10.json | 10 ++++++++++ 3 files changed, 30 insertions(+) create mode 100644 common/changes/@microsoft/api-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json create mode 100644 common/changes/@rushstack/package-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json create mode 100644 common/changes/@rushstack/webpack4-localization-plugin/upgrade-minimatch-to-v10_2025-07-30-18-10.json diff --git a/common/changes/@microsoft/api-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json b/common/changes/@microsoft/api-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json new file mode 100644 index 00000000000..ccaff4932b5 --- /dev/null +++ b/common/changes/@microsoft/api-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@microsoft/api-extractor", + "comment": "Upgrades the minimatch dependency from ~3.0.3 to 10.0.3 across the entire Rush monorepo to address a Regular Expression Denial of Service (ReDoS) vulnerability in the underlying brace-expansion dependency.", + "type": "patch" + } + ], + "packageName": "@microsoft/api-extractor" +} \ No newline at end of file diff --git a/common/changes/@rushstack/package-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json b/common/changes/@rushstack/package-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json new file mode 100644 index 00000000000..87c0ef43b66 --- /dev/null +++ b/common/changes/@rushstack/package-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/package-extractor", + "comment": "Upgrades the minimatch dependency from ~3.0.3 to 10.0.3 across the entire Rush monorepo to address a Regular Expression Denial of Service (ReDoS) vulnerability in the underlying brace-expansion dependency.", + "type": "patch" + } + ], + "packageName": "@rushstack/package-extractor" +} \ No newline at end of file diff --git a/common/changes/@rushstack/webpack4-localization-plugin/upgrade-minimatch-to-v10_2025-07-30-18-10.json b/common/changes/@rushstack/webpack4-localization-plugin/upgrade-minimatch-to-v10_2025-07-30-18-10.json new file mode 100644 index 00000000000..e80510463c2 --- /dev/null +++ b/common/changes/@rushstack/webpack4-localization-plugin/upgrade-minimatch-to-v10_2025-07-30-18-10.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/webpack4-localization-plugin", + "comment": "Upgrades the minimatch dependency from ~3.0.3 to 10.0.3 across the entire Rush monorepo to address a Regular Expression Denial of Service (ReDoS) vulnerability in the underlying brace-expansion dependency.", + "type": "patch" + } + ], + "packageName": "@rushstack/webpack4-localization-plugin" +} \ No newline at end of file From 1f9feab1f89a3c25ca52cde637fb78d8adfa66dd Mon Sep 17 00:00:00 2001 From: Rob De Feo Date: Wed, 30 Jul 2025 20:14:38 +0200 Subject: [PATCH 3/5] update lock file --- common/config/subspaces/default/repo-state.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index 453c4598e65..692359b3ac4 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { "pnpmShrinkwrapHash": "eee46b88b1983b92927ea82ac34e23f1f19dd7b1", - "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9" + "preferredVersionsHash": "ae61410a47f0adb5f4899e4f8b15b69161958030" } From 4e8e28041f9472458dd9eec0937207c5f780669a Mon Sep 17 00:00:00 2001 From: Rob De Feo Date: Thu, 31 Jul 2025 08:14:55 +0200 Subject: [PATCH 4/5] chore: remove @types/minimatch --- apps/api-extractor/package.json | 1 - .../subspaces/build-tests-subspace/repo-state.json | 2 +- common/config/subspaces/default/common-versions.json | 3 +-- common/config/subspaces/default/pnpm-lock.yaml | 9 --------- common/config/subspaces/default/repo-state.json | 2 +- libraries/package-extractor/package.json | 1 - webpack/webpack4-localization-plugin/package.json | 1 - 7 files changed, 3 insertions(+), 16 deletions(-) diff --git a/apps/api-extractor/package.json b/apps/api-extractor/package.json index fb97bbf42be..841655ca126 100644 --- a/apps/api-extractor/package.json +++ b/apps/api-extractor/package.json @@ -54,7 +54,6 @@ "devDependencies": { "@rushstack/heft": "0.74.1", "@types/lodash": "4.14.116", - "@types/minimatch": "6.0.0", "@types/resolve": "1.20.2", "@types/semver": "7.5.0", "decoupled-local-node-rig": "workspace:*", diff --git a/common/config/subspaces/build-tests-subspace/repo-state.json b/common/config/subspaces/build-tests-subspace/repo-state.json index dc525a5fee0..08dd2f9028c 100644 --- a/common/config/subspaces/build-tests-subspace/repo-state.json +++ b/common/config/subspaces/build-tests-subspace/repo-state.json @@ -2,5 +2,5 @@ { "pnpmShrinkwrapHash": "05243847c45ec913c83e0cb41b32a208240813a6", "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9", - "packageJsonInjectedDependenciesHash": "2a1e82dc3cd78f0ec969c8e97399c6aaaee4b2e7" + "packageJsonInjectedDependenciesHash": "d69fad25449ad576c80f4959f15d9b087083c579" } diff --git a/common/config/subspaces/default/common-versions.json b/common/config/subspaces/default/common-versions.json index 2f923e84ebf..bdf76be499b 100644 --- a/common/config/subspaces/default/common-versions.json +++ b/common/config/subspaces/default/common-versions.json @@ -35,8 +35,7 @@ "eslint": "~9.25.1", // Updated minimatch and its types to latest major version to resolve ReDoS vulnerability - "minimatch": "10.0.3", - "@types/minimatch": "6.0.0" + "minimatch": "10.0.3" }, /** diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index b00d623a655..9617e9ff750 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -101,9 +101,6 @@ importers: '@types/lodash': specifier: 4.14.116 version: 4.14.116 - '@types/minimatch': - specifier: 6.0.0 - version: 6.0.0 '@types/resolve': specifier: 1.20.2 version: 1.20.2 @@ -3508,9 +3505,6 @@ importers: '@types/glob': specifier: 7.1.1 version: 7.1.1 - '@types/minimatch': - specifier: 6.0.0 - version: 6.0.0 '@types/npm-packlist': specifier: ~1.1.1 version: 1.1.2 @@ -5036,9 +5030,6 @@ importers: '@types/loader-utils': specifier: 1.1.3 version: 1.1.3 - '@types/minimatch': - specifier: 6.0.0 - version: 6.0.0 '@types/node': specifier: 20.17.19 version: 20.17.19 diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index 692359b3ac4..2a2b4c85472 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { "pnpmShrinkwrapHash": "eee46b88b1983b92927ea82ac34e23f1f19dd7b1", - "preferredVersionsHash": "ae61410a47f0adb5f4899e4f8b15b69161958030" + "preferredVersionsHash": "61cd419c533464b580f653eb5f5a7e27fe7055ca" } diff --git a/libraries/package-extractor/package.json b/libraries/package-extractor/package.json index b6fa8e62c12..663760b75d2 100644 --- a/libraries/package-extractor/package.json +++ b/libraries/package-extractor/package.json @@ -33,7 +33,6 @@ "@rushstack/heft": "workspace:*", "@rushstack/webpack-preserve-dynamic-require-plugin": "workspace:*", "@types/glob": "7.1.1", - "@types/minimatch": "6.0.0", "@types/npm-packlist": "~1.1.1", "eslint": "~9.25.1", "webpack": "~5.98.0", diff --git a/webpack/webpack4-localization-plugin/package.json b/webpack/webpack4-localization-plugin/package.json index c3c05361cda..ff15ec208fd 100644 --- a/webpack/webpack4-localization-plugin/package.json +++ b/webpack/webpack4-localization-plugin/package.json @@ -43,7 +43,6 @@ "@rushstack/heft": "workspace:*", "@rushstack/set-webpack-public-path-plugin": "^4.1.16", "@types/loader-utils": "1.1.3", - "@types/minimatch": "6.0.0", "@types/node": "20.17.19", "@types/webpack": "4.41.32", "eslint": "~9.25.1", From ce9981070ed3be68520e58b041de9ed5209c542a Mon Sep 17 00:00:00 2001 From: Rob De Feo Date: Thu, 31 Jul 2025 08:36:40 +0200 Subject: [PATCH 5/5] fix: update IMinimatch interface to Minimatch class in package-extractor - minimatch v10 renamed IMinimatch interface to Minimatch class - Update type annotations to use the new class name --- libraries/package-extractor/src/PackageExtractor.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libraries/package-extractor/src/PackageExtractor.ts b/libraries/package-extractor/src/PackageExtractor.ts index e79ff048b8f..666c4515bfc 100644 --- a/libraries/package-extractor/src/PackageExtractor.ts +++ b/libraries/package-extractor/src/PackageExtractor.ts @@ -2,7 +2,7 @@ // See LICENSE in the project root for license information. import * as path from 'path'; -import { type IMinimatch, Minimatch } from 'minimatch'; +import { Minimatch } from 'minimatch'; import semver from 'semver'; import npmPacklist from 'npm-packlist'; import ignore, { type Ignore } from 'ignore'; @@ -723,8 +723,8 @@ export class PackageExtractor { patternsToInclude: string[] | undefined, patternsToExclude: string[] | undefined ): boolean => { - let includeFilters: IMinimatch[] | undefined; - let excludeFilters: IMinimatch[] | undefined; + let includeFilters: Minimatch[] | undefined; + let excludeFilters: Minimatch[] | undefined; if (patternsToInclude?.length) { includeFilters = patternsToInclude?.map((p) => new Minimatch(p, { dot: true })); }