fix(security): bump minimatch override to >=10.2.3 #528

jason.woltje · 2026-02-27T01:48:32Z

jason.woltje commented

2026-02-27 01:48:32 +00:00

Fixes 2 high-severity ReDoS CVEs (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) in minimatch via typescript-eslint transitive dep. Bumps existing pnpm override from >=10.2.1 to >=10.2.3. Unblocks CI security-audit gate on all three workflows.

jason.woltje added 2 commits 2026-02-27 01:48:33 +00:00

ci: enable turborepo remote cache for all Node.js pipelines

ci/woodpecker/push/api Pipeline failed

Details

ci/woodpecker/push/orchestrator Pipeline failed

Details

ci/woodpecker/push/web Pipeline failed

Details

5ed0a859da

Connect to self-hosted turbo cache at turbo.mosaicstack.dev.
Convert lint/typecheck/test/build steps to use pnpm turbo with
remote cache env vars, removing manual build-shared steps since
turbo handles the dependency graph automatically.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(security): bump minimatch override to >=10.2.3 (GHSA-7r86, GHSA-23c5)

ci/woodpecker/push/orchestrator Pipeline was successful

Details

ci/woodpecker/push/web Pipeline was successful

Details

ci/woodpecker/push/api Pipeline was successful

Details

55abe359f3

Two high-severity ReDoS vulnerabilities in minimatch >=10.0.0 <10.2.3
via @typescript-eslint transitive dep. Bumps existing pnpm override
from >=10.2.1 to >=10.2.3.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

jason.woltje merged commit cc5b108b2f into main

2026-02-27 01:48:39 +00:00

jason.woltje deleted branch fix/minimatch-redos

2026-02-27 01:48:40 +00:00

jason.woltje referenced this issue from a commit

2026-02-27 01:48:41 +00:00

fix(security): bump minimatch override to >=10.2.3 (#528)

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#528