Your message dated Mon, 06 Apr 2026 10:05:59 +0000
with message-id <[email protected]>
and subject line Bug#1128579: fixed in node-minimatch 9.0.7-1
has caused the Debian Bug report #1128579,
regarding node-minimatch: CVE-2026-26996
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128579
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-minimatch
Version: 9.0.3-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-minimatch.
CVE-2026-26996[0]:
| minimatch is a minimal matching utility for converting glob
| expressions into JavaScript RegExp objects. Versions 10.2.0 and
| below are vulnerable to Regular Expression Denial of Service (ReDoS)
| when a glob pattern contains many consecutive * wildcards followed
| by a literal character that doesn't appear in the test string. Each
| * compiles to a separate [^/]*? regex group, and when the match
| fails, V8's regex engine backtracks exponentially across all
| possible splits. The time complexity is O(4^N) where N is the number
| of * characters. With N=15, a single minimatch() call takes ~2
| seconds. With N=34, it hangs effectively forever. Any application
| that passes user-controlled strings to minimatch() as the pattern
| argument is vulnerable to DoS. This issue has been fixed in version
| 10.2.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26996
https://www.cve.org/CVERecord?id=CVE-2026-26996
[1] https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
[2]
https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-minimatch
Source-Version: 9.0.7-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-minimatch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-minimatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Apr 2026 11:41:05 +0200
Source: node-minimatch
Architecture: source
Version: 9.0.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1128579 1129095
Changes:
node-minimatch (9.0.7-1) unstable; urgency=medium
.
* Team upload
* New upstream version 9.0.7 (Closes: #1128579, #1129095)
- fixes CVE-2026-26996, CVE-2026-27903, CVE-2026-27904 (ReDoS)
* Declare compliance with policy 4.7.4
* debian/watch version 5, optimize
* Switch build from rollup to tshy
* Add patch to use brace-expansion 2.x default export
* Use index.cjs wrapper for backward-compatible default export
* Drop unused build-deps: rollup plugins, ts-node, node-tap
* Replace upstream ESM tests with minimal require test
(upstream tests need tap >= 21, not available in Debian)
Checksums-Sha1:
ad396f73efbbe57234c48e07b73db07962d04abd 2081 node-minimatch_9.0.7-1.dsc
670520f954d0f4532cb66e23ed8b9ccb79c420ea 103051
node-minimatch_9.0.7.orig.tar.gz
95ac5483176563b9af9ad931bd496a08f56a111f 4840
node-minimatch_9.0.7-1.debian.tar.xz
Checksums-Sha256:
b5e7e5b95a956cf02dc9e4a02711befac763e03f9b798b7027c83f174d2a48ef 2081
node-minimatch_9.0.7-1.dsc
8ce497d77411b0b1c3a1b02fc10db086a9e2699ab9447679fbd1843df378be72 103051
node-minimatch_9.0.7.orig.tar.gz
65264945986cb7f4fca96225adf3ad0853cd148eaca4c09be6d55f4b7dce64d9 4840
node-minimatch_9.0.7-1.debian.tar.xz
Files:
0d5904b2bee4b4f8261ad344b7020b0a 2081 javascript optional
node-minimatch_9.0.7-1.dsc
8ce743300cf8adda6106fe6364f37882 103051 javascript optional
node-minimatch_9.0.7.orig.tar.gz
531596a1be15e850568d8565d006bb9c 4840 javascript optional
node-minimatch_9.0.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnTgEcACgkQ9tdMp8mZ
7umKrBAAk0ygdwSI1n/H8gfiwPaCYV26rROUkqQbcf72w0+PFxxw1fj0D6bNrr+o
JVLLU2kWX4x8ajuulhV9l09qys5LcwHreDvPOVWDAafNfq/shppGo9SNwykSYE6U
UqGfgQsz+UH4EMXwCe0yLIWA+byoEhAExBh9PcWkIC0TofkVZMaWxvlfQC+hMEuI
mV94tEQx3sgWBsorgsmBXYmS4ZciQPhoPL0LdOGKzSwGxje4wB3e1Q+XNVkiloAo
0Nk+rRMlvQTYQBVH6QR9wKVlAmm8bIGabxYQOc2gyeZl4eLMAuKXT1eAMvdP6TWz
8W6xlz5zrVZp4eNFb7REf7wtBj2/2INbLB31wl0Fhlstayzp3d8dyl1nKDMFh05q
K5+MdbUYuTPkTj7l3dPpmvjRHpoZLu1x0dC8XNz2iKXStKP8bUvZEE8Q9Btt5Rs/
iUN04EeFhz8u5rC+i4n50SFHWMFMB8m3M9HyL2UzAQoJFZ9t63WR0yA5Ggcw/HDI
G1A/hB9hTkhlSKU2YrmBu+eATH/19FkSe1jlQ3wCDIyyc/ZgGTiQcea7fIhm/Dii
ivj8MFWJBShVHBouYcy2JpLIqNgiwMotxwD/ijtJdN6R9ni1c0FHCGiwI4xV5ES3
FQm4hbliazD11GsQcfmuz1hC+eI+/RcwaWeE3muz/r57z9+Gffw=
=MxAh
-----END PGP SIGNATURE-----
pgpoOhnYVLdYR.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
