minimatch CVE-2026-26996

[philmayfield]

Describe the bug

OpenAPI core depends on a vulnerable version of minimatch: GHSA-3ppc-4f35-3m26

├─ minimatch
│  ├─ ID: 1113461
│  ├─ Issue: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
│  ├─ URL: https://github.com/advisories/GHSA-3ppc-4f35-3m26
│  ├─ Severity: high
│  ├─ Vulnerable Versions: >=5.0.0 <5.1.7
│  │
│  ├─ Tree Versions
│  │  └─ 5.1.6
│  │
│  └─ Dependents
│     └─ @redocly/openapi-core@npm:1.34.8

To Reproduce

Expected behavior

Logs

OpenAPI description

Redocly version(s)

Node.js version(s)

OS, environment

Additional context

[kanoru3101]

Thanks for the report. We’ll take a look.

[stafak]

Same with the js-yaml dependency - it's pinned to 4.1.0 which has a vulnerability (fixed in 4.1.1)

[AlbinaBlazhko17]

Thanks @stafak and @philmayfield, updated nested dependencies.

[philmayfield]

Much appreciated!