Skip to content

Comments

chore: updating minimatch#19434

Open
isaacs wants to merge 1 commit intodevelopfrom
isaacschlueter/js-1765-vulnerable-dependency-minimatch
Open

chore: updating minimatch#19434
isaacs wants to merge 1 commit intodevelopfrom
isaacschlueter/js-1765-vulnerable-dependency-minimatch

Conversation

@isaacs
Copy link
Member

@isaacs isaacs commented Feb 19, 2026

  • Adding a devDependency on minimatch in the root, so that all outdated versions get pushed into duplicates.
  • Updated minimatch direct dependency packages/node, packages/react-router, and packages/remix
  • Once chore!: updating minimatch sentry-javascript-bundler-plugins#885 lands, we can update the dependency coming in from @sentry/bundler-plugin-core

There are several other dependencies that transitively bring in a minimatch v3, v5, v8, or v9. Fixes for the ReDOS will be backported where those dependencies cannot be easily updated.

Before submitting a pull request, please take a look at our
Contributing guidelines and verify:

  • If you've added code that should be tested, please add tests.
  • Ensure your code lints and the test suite passes (yarn lint) & (yarn test).
  • Link an issue if there is one related to your pull request. If no issue is linked, one will be auto-generated and linked.

Closes #issue_link_here

@linear
Copy link

linear bot commented Feb 19, 2026

JS-1765 Vulnerable dependency: Minimatch

@github-actions
Copy link
Contributor

github-actions bot commented Feb 19, 2026
edited
Loading

size-limit report 📦

Path Size % Change Change
@sentry/browser 25.62 kB - -
@sentry/browser - with treeshaking flags 24.12 kB - -
@sentry/browser (incl. Tracing) 42.42 kB - -
@sentry/browser (incl. Tracing, Profiling) 47.09 kB - -
@sentry/browser (incl. Tracing, Replay) 81.24 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 70.86 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 85.94 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 98.2 kB - -
@sentry/browser (incl. Feedback) 42.43 kB - -
@sentry/browser (incl. sendFeedback) 30.29 kB - -
@sentry/browser (incl. FeedbackAsync) 35.34 kB - -
@sentry/browser (incl. Metrics) 26.79 kB - -
@sentry/browser (incl. Logs) 26.93 kB - -
@sentry/browser (incl. Metrics & Logs) 27.61 kB - -
@sentry/react 27.37 kB - -
@sentry/react (incl. Tracing) 44.76 kB - -
@sentry/vue 30.07 kB - -
@sentry/vue (incl. Tracing) 44.27 kB - -
@sentry/svelte 25.64 kB - -
CDN Bundle 28.16 kB - -
CDN Bundle (incl. Tracing) 43.25 kB - -
CDN Bundle (incl. Logs, Metrics) 29 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 44.09 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 68.08 kB - -
CDN Bundle (incl. Tracing, Replay) 80.13 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 80.99 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 85.64 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.53 kB - -
CDN Bundle - uncompressed 82.34 kB - -
CDN Bundle (incl. Tracing) - uncompressed 128.06 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 85.18 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 130.89 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 208.84 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 244.94 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 247.76 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 257.85 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 260.66 kB - -
@sentry/nextjs (client) 47.17 kB - -
@sentry/sveltekit (client) 42.88 kB - -
@sentry/node-core 52.18 kB +0.02% +9 B 🔺
@sentry/node 173.46 kB +0.01% +9 B 🔺
@sentry/node - without tracing 97.33 kB +0.02% +11 B 🔺
@sentry/aws-serverless 113.13 kB +0.01% +8 B 🔺

View base workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Feb 19, 2026
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 11,214 - 9,153 +23%
GET With Sentry 1,869 17% 1,741 +7%
GET With Sentry (error only) 7,493 67% 6,042 +24%
POST Baseline 1,164 - 1,170 -1%
POST With Sentry 563 48% 572 -2%
POST With Sentry (error only) 1,023 88% 1,022 +0%
MYSQL Baseline 3,870 - 3,235 +20%
MYSQL With Sentry 443 11% 528 -16%
MYSQL With Sentry (error only) 3,218 83% 2,662 +21%

View base workflow run

@isaacs isaacs force-pushed the isaacschlueter/js-1765-vulnerable-dependency-minimatch branch from 0926993 to 101e9f9 Compare February 23, 2026 23:14
isaacs added a commit that referenced this pull request Feb 23, 2026
@isaacs
chore: updating minimatch (#19434)
43842b9 
- Updated `minimatch` direct dependency in our packages (packages/node,
  packages/react-router, and packages/remix)
- Added some yarn resolutions for old pinned versions of minimatch that
  are unlikely to be updated in their respective dependencies.

fixes JS-1765
fixes #19431
@isaacs isaacs force-pushed the isaacschlueter/js-1765-vulnerable-dependency-minimatch branch from 101e9f9 to 43842b9 Compare February 23, 2026 23:16
@isaacs isaacs marked this pull request as ready for review February 23, 2026 23:17
cursor[bot]
cursor bot reviewed Feb 23, 2026
View reviewed changes
isaacs added a commit that referenced this pull request Feb 23, 2026
@isaacs
chore: updating minimatch (#19434)
c13f91c 
- Updated `minimatch` direct dependency in our packages (packages/node,
  packages/react-router, and packages/remix)
- Added some yarn resolutions for old pinned versions of minimatch that
  are unlikely to be updated in their respective dependencies.

fixes JS-1765
fixes #19431
@isaacs isaacs force-pushed the isaacschlueter/js-1765-vulnerable-dependency-minimatch branch from 43842b9 to c13f91c Compare February 23, 2026 23:45
@isaacs
Copy link
Member Author

isaacs commented Feb 23, 2026

Dependency review CI is still catching up. The minimatch versions it's flagging all have the fix for the CVE, just waiting on it to go through the GH advisory workflow. The license for glob and rimraf are BlueOak-1.0.0, which was just recently approved in our fossa instance.

cursor[bot]
cursor bot reviewed Feb 23, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

isaacs added a commit that referenced this pull request Feb 24, 2026
@isaacs
chore: updating minimatch (#19434)
944ed68 
- Updated `minimatch` direct dependency in our packages (packages/node,
  packages/react-router, and packages/remix)
- Added some yarn resolutions for old pinned versions of minimatch that
  are unlikely to be updated in their respective dependencies.

fixes JS-1765
fixes #19431
@isaacs isaacs force-pushed the isaacschlueter/js-1765-vulnerable-dependency-minimatch branch from c13f91c to 944ed68 Compare February 24, 2026 17:33
sentry[bot]
sentry bot reviewed Feb 24, 2026
View reviewed changes
@isaacs
chore: updating minimatch (#19434)
acbd011 
- Updated `minimatch` direct dependency in our packages (packages/node,
  packages/react-router, and packages/remix)
- Added some yarn resolutions for old pinned versions of minimatch that
  are unlikely to be updated in their respective dependencies.

fixes JS-1765
fixes #19431
@isaacs isaacs force-pushed the isaacschlueter/js-1765-vulnerable-dependency-minimatch branch from 944ed68 to acbd011 Compare February 24, 2026 18:44
sentry[bot]
sentry bot reviewed Feb 24, 2026
View reviewed changes
packages/remix/package.json
Comment on lines 72 to 78
"@sentry/core": "10.40.0",
"@sentry/node": "10.40.0",
"@sentry/react": "10.40.0",
"glob": "^10.3.4",
"glob": "^13.0.6",
"yargs": "^17.6.0"
},
"devDependencies": {
Copy link

@sentry sentry bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The update to glob v13 removes the glob.sync() and glob.glob() APIs, which are still used by multiple build and test scripts, causing them to fail at runtime.
Severity: HIGH

Suggested Fix

Update all usages of the deprecated glob APIs. Replace const mapFiles = glob.sync(...) with import { globSync } from 'glob'; const mapFiles = globSync(...). Similarly, refactor any callback-based glob.glob() calls to use the modern promise-based or synchronous APIs provided by glob v13.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: packages/remix/package.json#L72-L78

Potential issue: The pull request updates the `glob` dependency to version 13. This
major version update removes the `glob.sync()` method and the callback-based
`glob.glob()` function, which are used in several build and test scripts across the
repository. For example, the `deleteSourcemaps.js` script, which is part of the Remix
package's build process, uses `glob.sync()`. When this script is executed with the
updated dependency, it will throw a `TypeError: glob.sync is not a function`, causing
the build process to fail. Other scripts in `dev-packages` will also fail for the same
reason.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@isaacs