🏥 CI FailureDependency Vulnerability Audit fails: high-severity minimatch ReDoS in main package #1074
Closed as not planned
Description
Summary
The "Audit Main Package" job in the Dependency Vulnerability Audit workflow failed on commit 68148f59eb89d99974b0781777fba0c368be4156 due to a high-severity vulnerability in minimatch.
Note: The "Audit Docs Site Package" job also failed in the same run due to a high-severity
rollupvulnerability — that is already tracked separately.
Failed Step
Step 8: Run npm audit (fail on high/critical)
npm audit --audit-level=high
Vulnerabilities Found
🔴 HIGH — minimatch ReDoS (main package)
- Package:
minimatch10.0.0 – 10.2.2 - Advisories:
- GHSA-7r86-cg39-jmmj —
matchOne()combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-23c5-xmqv-rm74 — nested
*()extglobs generate catastrophically backtracking regular expressions
- GHSA-7r86-cg39-jmmj —
- Fix:
npm audit fix
🟡 MODERATE — ajv ReDoS (main package)
- Package:
ajv<6.14.0 || >=7.0.0-alpha.0 <8.18.0 - Advisory: GHSA-2g4f-4pwh-qvx6 — ReDoS when using
$dataoption - Affects:
node_modules/ajv,node_modules/@commitlint/config-validator/node_modules/ajv - Fix:
npm audit fix
Root Cause
New versions of minimatch (10.0.0–10.2.2) introduced ReDoS vulnerabilities. Since AWF likely has a transitive dependency on this range, running npm audit fix should update it to a patched version (10.2.3+).
Recommended Actions
- Run
npm audit fixin the root package to updateminimatchandajv - Verify with
npm audit --audit-level=highthat no high/critical issues remain - Commit the updated
package-lock.json
Related
- Docs-site rollup vulnerability tracked separately (see existing open issues)
- Workflow: dependency-audit.yml
- Run: https://github.com/github/gh-aw-firewall/actions/runs/22467317369
Generated by CI Doctor