Latest Threat Research:SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains.Details →
minimatch
Advanced tools
minimatch - npm Package Compare versions
+4
-4
@@ -814,4 +814,4 @@ module.exports = minimatch | ||
| var head = pattern.slice(patternIndex, firstgs) | ||
| var body = pattern.slice(firstgs + 1, lastgs) | ||
| var tail = pattern.slice(lastgs + 1) | ||
| var body = partial ? pattern.slice(firstgs + 1) : pattern.slice(firstgs + 1, lastgs) | ||
| var tail = partial ? [] : pattern.slice(lastgs + 1) | ||
@@ -860,3 +860,3 @@ // check the head | ||
| } | ||
| return sawSome | ||
| return partial || sawSome | ||
| } | ||
@@ -941,3 +941,3 @@ | ||
| } | ||
| return null | ||
| return partial || null | ||
| } | ||
@@ -944,0 +944,0 @@ |
+1
-1
@@ -5,3 +5,3 @@ { | ||
| "description": "a glob matcher in javascript", | ||
| "version": "3.1.4", | ||
| "version": "3.1.5", | ||
| "publishConfig": { | ||
@@ -8,0 +8,0 @@ "tag": "legacy-v3" |
+37
-0
@@ -13,2 +13,39 @@ # minimatch | ||
| ## Important Security Consideration! | ||
| > [!WARNING] | ||
| > This library uses JavaScript regular expressions. Please read | ||
| > the following warning carefully, and be thoughtful about what | ||
| > you provide to this library in production systems. | ||
| _Any_ library in JavaScript that deals with matching string | ||
| patterns using regular expressions will be subject to | ||
| [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) | ||
| if the pattern is generated using untrusted input. | ||
| Efforts have been made to mitigate risk as much as is feasible in | ||
| such a library, providing maximum recursion depths and so forth, | ||
| but these measures can only ultimately protect against accidents, | ||
| not malice. A dedicated attacker can _always_ find patterns that | ||
| cannot be defended against by a bash-compatible glob pattern | ||
| matching system that uses JavaScript regular expressions. | ||
| To be extremely clear: | ||
| > [!WARNING] | ||
| > **If you create a system where you take user input, and use | ||
| > that input as the source of a Regular Expression pattern, in | ||
| > this or any extant glob matcher in JavaScript, you will be | ||
| > pwned.** | ||
| A future version of this library _may_ use a different matching | ||
| algorithm which does not exhibit backtracking problems. If and | ||
| when that happens, it will likely be a sweeping change, and those | ||
| improvements will **not** be backported to legacy versions. | ||
| In the near term, it is not reasonable to continue to play | ||
| whack-a-mole with security advisories, and so any future ReDoS | ||
| reports will be considered "working as intended", and resolved | ||
| entirely by this warning. | ||
| ## Usage | ||
@@ -15,0 +52,0 @@ |
New alerts
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
37677
4.6%- Number of lines in readme file
268
16.02%No dependency changes