From: carnil@debian.org   
      
   Source: node-minimatch   
   Version: 9.0.3-6   
   Severity: important   
   Tags: security upstream   
   X-Debbugs-Cc: carnil@debian.org, Debian Security Team    
      
   Hi,   
      
   The following vulnerability was published for node-minimatch.   
      
   CVE-2026-26996[0]:   
   | minimatch is a minimal matching utility for converting glob   
   | expressions into JavaScript RegExp objects. Versions 10.2.0 and   
   | below are vulnerable to Regular Expression Denial of Service (ReDoS)   
   | when a glob pattern contains many consecutive * wildcards followed   
   | by a literal character that doesn't appear in the test string. Each   
   | * compiles to a separate [^/]*? regex group, and when the match   
   | fails, V8's regex engine backtracks exponentially across all   
   | possible splits. The time complexity is O(4^N) where N is the number   
   | of * characters. With N=15, a single minimatch() call takes ~2   
   | seconds. With N=34, it hangs effectively forever. Any application   
   | that passes user-controlled strings to minimatch() as the pattern   
   | argument is vulnerable to DoS. This issue has been fixed in version   
   | 10.2.1.   
      
      
   If you fix the vulnerability please also make sure to include the   
   CVE (Common Vulnerabilities & Exposures) id in your changelog entry.   
      
   For further information see:   
      
   [0] https://security-tracker.debian.org/tracker/CVE-2026-26996   
       https://www.cve.org/CVERecord?id=CVE-2026-26996   
   [1] https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26   
   [2] https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa   
   3110195de2c0f2351904f5   
      
   Please adjust the affected versions in the BTS as needed.   
      
   Regards,   
   Salvatore   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)