diff --git a/apps/api-extractor/package.json b/apps/api-extractor/package.json index 0b1d8f9129..a88f92d2c4 100644 --- a/apps/api-extractor/package.json +++ b/apps/api-extractor/package.json @@ -71,7 +71,7 @@ "@rushstack/ts-command-line": "workspace:*", "diff": "~8.0.2", "lodash": "~4.17.23", - "minimatch": "10.2.1", + "minimatch": "10.2.3", "resolve": "~1.22.1", "semver": "~7.5.4", "source-map": "~0.6.1", diff --git a/common/changes/@microsoft/api-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json b/common/changes/@microsoft/api-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json new file mode 100644 index 0000000000..8a361a4e2a --- /dev/null +++ b/common/changes/@microsoft/api-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@microsoft/api-extractor", + "comment": "Bump minimatch version from 10.2.1 to 10.2.3", + "type": "patch" + } + ], + "packageName": "@microsoft/api-extractor" +} \ No newline at end of file diff --git a/common/changes/@rushstack/package-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json b/common/changes/@rushstack/package-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json new file mode 100644 index 0000000000..c8f48d6816 --- /dev/null +++ b/common/changes/@rushstack/package-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/package-extractor", + "comment": "Bump minimatch version from 10.2.1 to 10.2.3", + "type": "patch" + } + ], + "packageName": "@rushstack/package-extractor" +} \ No newline at end of file diff --git a/common/changes/@rushstack/webpack4-localization-plugin/fix-minimatch-vulnerability_2026-02-27-10-51.json b/common/changes/@rushstack/webpack4-localization-plugin/fix-minimatch-vulnerability_2026-02-27-10-51.json new file mode 100644 index 0000000000..efd62b00ba --- /dev/null +++ b/common/changes/@rushstack/webpack4-localization-plugin/fix-minimatch-vulnerability_2026-02-27-10-51.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/webpack4-localization-plugin", + "comment": "Bump minimatch version from 10.2.1 to 10.2.3", + "type": "patch" + } + ], + "packageName": "@rushstack/webpack4-localization-plugin" +} \ No newline at end of file diff --git a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml index 1db0185df4..fbce8df884 100644 --- a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml +++ b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml @@ -836,7 +836,7 @@ packages: '@rushstack/heft-api-extractor-plugin@file:../../../heft-plugins/heft-api-extractor-plugin': resolution: {directory: ../../../heft-plugins/heft-api-extractor-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.5 + '@rushstack/heft': 1.2.6 '@rushstack/heft-config-file@file:../../../libraries/heft-config-file': resolution: {directory: ../../../libraries/heft-config-file, type: directory} @@ -845,7 +845,7 @@ packages: '@rushstack/heft-jest-plugin@file:../../../heft-plugins/heft-jest-plugin': resolution: {directory: ../../../heft-plugins/heft-jest-plugin, type: directory} peerDependencies: - '@rushstack/heft': ^1.2.5 + '@rushstack/heft': ^1.2.6 jest-environment-jsdom: ^29.5.0 jest-environment-node: ^29.5.0 peerDependenciesMeta: @@ -857,17 +857,17 @@ packages: '@rushstack/heft-lint-plugin@file:../../../heft-plugins/heft-lint-plugin': resolution: {directory: ../../../heft-plugins/heft-lint-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.5 + '@rushstack/heft': 1.2.6 '@rushstack/heft-node-rig@file:../../../rigs/heft-node-rig': resolution: {directory: ../../../rigs/heft-node-rig, type: directory} peerDependencies: - '@rushstack/heft': ^1.2.5 + '@rushstack/heft': ^1.2.6 '@rushstack/heft-typescript-plugin@file:../../../heft-plugins/heft-typescript-plugin': resolution: {directory: ../../../heft-plugins/heft-typescript-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.5 + '@rushstack/heft': 1.2.6 '@rushstack/heft@file:../../../apps/heft': resolution: {directory: ../../../apps/heft, type: directory} @@ -2682,10 +2682,6 @@ packages: resolution: {integrity: sha512-Ysbi9uYW9hFyfrThdDEQuykN4Ey6BuwPD2kpI5ES/nFTDn/98yxYNLZJcgUAKPT/mcrLLKaGzJR9YVxJrIdASQ==} engines: {node: '>=8'} - minimatch@10.2.1: - resolution: {integrity: sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==} - engines: {node: 20 || >=22} - minimatch@10.2.3: resolution: {integrity: sha512-Rwi3pnapEqirPSbWbrZaa6N3nmqq4Xer/2XooiOKyV3q12ML06f7MOuc5DVH8ONZIFhwIYQ3yzPH4nt7iWHaTg==} engines: {node: 18 || 20 || >=22} @@ -4176,7 +4172,7 @@ snapshots: '@rushstack/ts-command-line': file:../../../libraries/ts-command-line(@types/node@20.17.19) diff: 8.0.3 lodash: 4.17.23 - minimatch: 10.2.1 + minimatch: 10.2.3 resolve: 1.22.11 semver: 7.5.4 source-map: 0.6.1 @@ -4771,7 +4767,7 @@ snapshots: '@rushstack/ts-command-line': file:../../../libraries/ts-command-line(@types/node@20.17.19) ignore: 5.1.9 jszip: 3.8.0 - minimatch: 10.2.1 + minimatch: 10.2.3 npm-packlist: 5.1.3 semver: 7.5.4 transitivePeerDependencies: @@ -7238,10 +7234,6 @@ snapshots: mimic-fn@3.1.0: {} - minimatch@10.2.1: - dependencies: - brace-expansion: 5.0.2 - minimatch@10.2.3: dependencies: brace-expansion: 5.0.2 diff --git a/common/config/subspaces/build-tests-subspace/repo-state.json b/common/config/subspaces/build-tests-subspace/repo-state.json index 2cc2c1d864..ea9324a271 100644 --- a/common/config/subspaces/build-tests-subspace/repo-state.json +++ b/common/config/subspaces/build-tests-subspace/repo-state.json @@ -1,6 +1,6 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "c7fc0d748fad95ed6142faa9eaff041335b3fc17", + "pnpmShrinkwrapHash": "c395a90b30bd67a31beb1d1b08be9aecb02de265", "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9", - "packageJsonInjectedDependenciesHash": "c79f0a961494e6e313bb0ec2c8fe0433cb6baaf5" + "packageJsonInjectedDependenciesHash": "8410b26d03a38d02cb52140340c78128eb2e5fdd" } diff --git a/common/config/subspaces/default/common-versions.json b/common/config/subspaces/default/common-versions.json index a688a847ba..2027ea92b2 100644 --- a/common/config/subspaces/default/common-versions.json +++ b/common/config/subspaces/default/common-versions.json @@ -35,7 +35,7 @@ "eslint": "~9.37.0", // Updated minimatch and its types to latest major version to resolve ReDoS vulnerability - "minimatch": "10.2.1" + "minimatch": "10.2.3" }, /** diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index e7c5e552d8..5f42f27a4b 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -89,8 +89,8 @@ importers: specifier: ~4.17.23 version: 4.17.23 minimatch: - specifier: 10.2.1 - version: 10.2.1 + specifier: 10.2.3 + version: 10.2.3 resolve: specifier: ~1.22.1 version: 1.22.11 @@ -3993,8 +3993,8 @@ importers: specifier: ~3.8.0 version: 3.8.0 minimatch: - specifier: 10.2.1 - version: 10.2.1 + specifier: 10.2.3 + version: 10.2.3 npm-packlist: specifier: ~5.1.3 version: 5.1.3 @@ -5648,8 +5648,8 @@ importers: specifier: 1.4.2 version: 1.4.2 minimatch: - specifier: 10.2.1 - version: 10.2.1 + specifier: 10.2.3 + version: 10.2.3 devDependencies: '@rushstack/heft': specifier: workspace:* @@ -26221,7 +26221,7 @@ snapshots: '@types/minimatch@6.0.0': dependencies: - minimatch: 10.2.1 + minimatch: 10.2.3 '@types/mocha@10.0.6': {} @@ -31183,7 +31183,7 @@ snapshots: dependencies: foreground-child: 3.3.1 jackspeak: 4.1.1 - minimatch: 10.2.1 + minimatch: 10.2.3 minipass: 7.1.2 package-json-from-dist: 1.0.1 path-scurry: 2.0.1 diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index c65102a393..a52850206a 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "332ad6b0bd71bdfb6f4ae69270e34275b8dc2f1e", - "preferredVersionsHash": "93bf435032db8da4a18734f1eaa359c12ad147c1" + "pnpmShrinkwrapHash": "0778382a980762005a055ec6e76ca8cc37d447f1", + "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c" } diff --git a/libraries/package-extractor/package.json b/libraries/package-extractor/package.json index e48cd118b4..418dd58d1e 100644 --- a/libraries/package-extractor/package.json +++ b/libraries/package-extractor/package.json @@ -46,7 +46,7 @@ "@rushstack/ts-command-line": "workspace:*", "ignore": "~5.1.6", "jszip": "~3.8.0", - "minimatch": "10.2.1", + "minimatch": "10.2.3", "npm-packlist": "~5.1.3", "semver": "~7.5.4" }, diff --git a/webpack/webpack4-localization-plugin/package.json b/webpack/webpack4-localization-plugin/package.json index 11b8baac5b..7114680144 100644 --- a/webpack/webpack4-localization-plugin/package.json +++ b/webpack/webpack4-localization-plugin/package.json @@ -60,7 +60,7 @@ "@rushstack/terminal": "workspace:*", "@types/tapable": "1.0.6", "loader-utils": "1.4.2", - "minimatch": "10.2.1" + "minimatch": "10.2.3" }, "devDependencies": { "@rushstack/heft": "workspace:*",