Skip to content

Refactor: update micromatch to patched release #9042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Refactor: update micromatch to patched release #9042

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 26, 2026
edited
Loading

The repo relied on vulnerable micromatch versions susceptible to ReDoS. Updated the dependency to the patched 4.0.8 release and refreshed the lockfile to enforce the safe version across workspaces.

How the feature works? / How did you fix the issue?

  • Dependency update: add micromatch ^4.0.8 at the root to pin the safe release and regenerate the lockfile to propagate it transitively.
  • Security mitigation: ensures downstream consumers resolve to the patched micromatch version, preventing the known ReDoS pattern.

Example:

"dependencies": {
  "@playwright/test": "^1.44.1",
  "micromatch": "^4.0.8",
  "minimatch": "^10.0.3"
}

Check list

  • unit-tests written
  • e2e-tests written
  • documentation updated
  • PR name follows the pattern #1234 – issue name
  • branch name doesn't contain '#'
  • PR is linked with the issue
  • base branch (master or release/xx) is correct
  • task status changed to "Code review"
  • reviewers are notified about the pull request
Original prompt

This section details on the original issue you should resolve

<issue_title>Refactor: Regular Expression Denial of Service (ReDoS) in micromatch</issue_title>
<issue_description>The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to micromatch/micromatch#266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Solution

Update micromatch package to latest version without overrides, update root dependencies
</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Refactor micromatch to resolve Regular Expression Denial of Service Refactor: update micromatch to patched release Jan 26, 2026
Copilot AI requested a review from AlexeyGirin January 26, 2026 23:27
@AlexeyGirin AlexeyGirin marked this pull request as ready for review January 27, 2026 08:00
@AlexeyGirin AlexeyGirin requested review from rrodionov91 and removed request for AlexeyGirin, NataliaLoginova, Zhirnoff and svvald January 27, 2026 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rrodionov91 rrodionov91 Awaiting requested review from rrodionov91

At least 1 approving review is required to merge this pull request.

Assignees

@AlexeyGirin AlexeyGirin

Copilot code review Copilot

Labels

Fixed by ChatGPT5 Ready for approve

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Refactor: Regular Expression Denial of Service (ReDoS) in micromatch

2 participants

@AlexeyGirin