🏥 CI FailureDependency Vulnerability Audit fails: high-severity minimatch ReDoS in main package #1100
Description
Summary
The "Audit Main Package" job in the Dependency Vulnerability Audit workflow failed on commit c15f7ec9590641921f34229d4afbe4db534b537a.
This is a recurrence of the same issue previously tracked in #1074 (closed as "not_planned").
Failed Step
Step 8: Run npm audit (fail on high/critical)
npm audit --audit-level=high
Vulnerabilities Found
🔴 High Severity — minimatch (10.0.0 - 10.2.2)
Two ReDoS vulnerabilities:
- GHSA-7r86-cg39-jmmj:
matchOne()combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-23c5-xmqv-rm74: Nested
*()extglobs generate catastrophically backtracking regular expressions
Fix available via npm audit fix.
🟡 Moderate Severity — ajv (<6.14.0 || >=7.0.0-alpha.0 <8.18.0)
- GHSA-2g4f-4pwh-qvx6: ReDoS when using
$dataoption - Found in:
node_modules/@commitlint/config-validator/node_modules/ajv,node_modules/ajv
Note:
ajvis moderate severity and does not cause the audit to fail (threshold is high/critical), but is worth tracking.
Root Cause
The minimatch package in the main package's dependency tree has been updated to a version range (10.0.0–10.2.2) that contains two high-severity ReDoS vulnerabilities. The audit enforces --audit-level=high, so the job exits with code 1.
The recent commit c15f7ec fixed the rollup vulnerability in docs-site, but the main package minimatch issue remains unresolved.
Recommended Actions
- Run
npm audit fixin the root package to updateminimatchto a patched version - Verify the fix doesn't introduce breaking changes
- Commit the updated
package-lock.json
cd /path/to/gh-aw-firewall
npm audit fix
npm test # verify nothing broken
git add package-lock.json
git commit -m "fix(deps): resolve high-severity minimatch ReDoS vulnerability"🏥 Automatically investigated by CI Doctor
Generated by CI Doctor