[PR #257] [MERGED] fix: bump minimatch to resolve CVE-2026-26996 #304

Closed
opened 2026-06-05 17:22:35 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/langchain-ai/deepagentsjs/pull/257
Author: @jkennedyvz
Created: 2/27/2026
Status: Merged
Merged: 2/28/2026
Merged by: @jkennedyvz

Base: mainHead: fix/cve-2026-26996-minimatch


📝 Commits (2)

  • 957209b fix: bump minimatch to resolve CVE-2026-26996
  • bd93f76 fix: minimize lockfile churn, patch all vulnerable minimatch ranges

📊 Changes

2 files changed (+31 additions, -36 deletions)

View changed files

📝 package.json (+8 -2)
📝 pnpm-lock.yaml (+23 -34)

📄 Description

Summary

  • Resolves 3 Dependabot alerts for CVE-2026-26996 (HIGH severity) affecting minimatch
  • Added pnpm.overrides in package.json to force safe minimatch versions (>=9.0.6 for v9, >=10.2.1 for v10)
  • Regenerated pnpm-lock.yaml — resolved versions are now minimatch@3.1.5 and minimatch@10.2.4, both above the fix thresholds

Vulnerable ranges patched

Range Fix version Resolved
<3.1.3 >=3.1.3 3.1.5
>=9.0.0, <9.0.6 >=9.0.6 (eliminated, resolved to 10.x)
>=10.0.0, <10.2.1 >=10.2.1 10.2.4

Test plan

  • Verify Dependabot alerts for CVE-2026-26996 are resolved after merge
  • Confirm pnpm install succeeds cleanly
  • Run pnpm test to ensure no regressions from the dependency bump

🤖 Generated with Claude Code


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/langchain-ai/deepagentsjs/pull/257 **Author:** [@jkennedyvz](https://github.com/jkennedyvz) **Created:** 2/27/2026 **Status:** ✅ Merged **Merged:** 2/28/2026 **Merged by:** [@jkennedyvz](https://github.com/jkennedyvz) **Base:** `main` ← **Head:** `fix/cve-2026-26996-minimatch` --- ### 📝 Commits (2) - [`957209b`](https://github.com/langchain-ai/deepagentsjs/commit/957209b9553e2f31a314c5d829c2aa57cb0332db) fix: bump minimatch to resolve CVE-2026-26996 - [`bd93f76`](https://github.com/langchain-ai/deepagentsjs/commit/bd93f768c35e819c19e7c6dcfeb398d371bc6615) fix: minimize lockfile churn, patch all vulnerable minimatch ranges ### 📊 Changes **2 files changed** (+31 additions, -36 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+8 -2) 📝 `pnpm-lock.yaml` (+23 -34) </details> ### 📄 Description ## Summary - Resolves 3 Dependabot alerts for CVE-2026-26996 (HIGH severity) affecting `minimatch` - Added `pnpm.overrides` in `package.json` to force safe minimatch versions (`>=9.0.6` for v9, `>=10.2.1` for v10) - Regenerated `pnpm-lock.yaml` — resolved versions are now `minimatch@3.1.5` and `minimatch@10.2.4`, both above the fix thresholds ## Vulnerable ranges patched | Range | Fix version | Resolved | |---|---|---| | `<3.1.3` | `>=3.1.3` | `3.1.5` | | `>=9.0.0, <9.0.6` | `>=9.0.6` | (eliminated, resolved to 10.x) | | `>=10.0.0, <10.2.1` | `>=10.2.1` | `10.2.4` | ## Test plan - [x] Verify Dependabot alerts for CVE-2026-26996 are resolved after merge - [x] Confirm `pnpm install` succeeds cleanly - [x] Run `pnpm test` to ensure no regressions from the dependency bump 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 17:22:35 -04:00
yindo closed this issue 2026-06-05 17:22:35 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/deepagentsjs#304