picomatch 4.0.3 CVE-2026-33671

[huakaibird]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

picomatch 4.0.3 has CVE CVE-2026-33671
https://nvd.nist.gov/vuln/detail/CVE-2026-33671

Expected Behavior

No response

Steps To Reproduce

Environment

• npm: 11.12.1

[aliceshi-aaaaaokkk]

When can it be resolved?

[vdahmane]

Hello,
Do you have an ETA for this CVE remediation please?
Thanks in advance
Best regards !

[nitinsj]

We reproduced this in a containerized runtime path and wanted to add details that may help prioritize remediation.

Environment:

• node:22-bookworm-slim
• Node v22.22.2
• npm 10.9.7
• bundled npm dependency path: /usr/local/lib/node_modules/npm/node_modules/picomatch/package.json
• bundled version in that image: 4.0.3

Why this is painful operationally:

• Enterprise image scanners flag CVE-2026-33671 through npm://npm:10.9.7 -> npm://picomatch:4.0.3
• Even if we patch the bundled npm tree in-place during image build to 4.0.4, layer-based scanners can still report the older lower layer tar that originally contained 4.0.3
• That means downstream users can still get blocked in CI even when the live merged filesystem has already been remediated

What we verified:

• Live container filesystem after in-image replacement shows bundled npm picomatch at 4.0.4
• Exported image archive still contains an older lower layer with 4.0.3, and scanners may report that archived layer path instead of the effective merged filesystem
• So the only clean downstream fix is for npm/node base images to stop shipping the vulnerable bundled dependency in the first place

Request:

• Please publish an npm release line that no longer bundles picomatch 4.0.3
• If there is already a fixed npm release or backport strategy for the 10.x line, can you clarify which version consumers should target?

Additional note:

• We also checked newer official Node images. A simple base-image upgrade is not necessarily enough for downstream users unless the bundled npm dependency tree itself is fixed.

[Montellanos]

Any news about solution?

[Stamo-Gochev]

The same problem occurs with brace-expansion package, so it will be nice for both of them to be fixed - logged in #9260

Run npm audit
# npm audit report

brace-expansion  4.0.0 - 5.0.4
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/npm/node_modules/brace-expansion

picomatch  4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/npm/node_modules/tinyglobby/node_modules/picomatch

2 vulnerabilities (1 moderate, 1 high)

[Berehulia]

Hey team!

Any expectations when this can be fixed?

Thanks!

[hamza761]

Hey Team!
below package is upgraded so now this issue can be fixed quickly.
can anyone create a PR with upgraded package
Thanks!

[owlstronaut]

These will be updated in the next deps release

[hamza761]

@owlstronaut Could you please let us know when you expect the next release?