Skip to content

chore(deps): bump minimatch to fix ReDoS vulnerabilities and tmp to ^0.2.4 #5749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lucas-zimerman merged 2 commits into from
Mar 3, 2026
Merged

chore(deps): bump minimatch to fix ReDoS vulnerabilities and tmp to ^0.2.4 #5749

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9793202
chore(deps): bump minimatch to fix ReDoS vulnerabilities
antonis Mar 3, 2026
77455f2
chore(deps): bump tmp to ^0.2.4 (#5711)
antonis Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 52 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,56 @@
"eslint@npm:8.57.1/ajv": "^6.14.0",
"eslint@npm:9.39.2/ajv": "^6.14.0",
"express@npm:4.19.2/path-to-regexp": "0.1.12",
"@eslint/config-array@npm:0.21.1/minimatch": "^3.1.3",
"@eslint/eslintrc@npm:2.1.4/minimatch": "^3.1.3",
"@eslint/eslintrc@npm:3.3.3/minimatch": "^3.1.3",
"@expo/fingerprint@npm:0.6.1/minimatch": "^3.1.3",
"@humanwhocodes/config-array@npm:0.11.14/minimatch": "^3.1.3",
"@humanwhocodes/config-array@npm:0.13.0/minimatch": "^3.1.3",
"@lerna/create@npm:8.1.8/minimatch": "^3.1.3",
"eslint-plugin-import@npm:2.31.0/minimatch": "^3.1.3",
"eslint-plugin-import@npm:2.32.0/minimatch": "^3.1.3",
"eslint-plugin-node@npm:11.1.0/minimatch": "^3.1.3",
"eslint-plugin-react@npm:7.35.0/minimatch": "^3.1.3",
"eslint-plugin-react@npm:7.37.5/minimatch": "^3.1.3",
"eslint@npm:8.57.0/minimatch": "^3.1.3",
"eslint@npm:8.57.1/minimatch": "^3.1.3",
"eslint@npm:9.39.2/minimatch": "^3.1.3",
"glob@npm:6.0.4/minimatch": "^3.1.3",
"glob@npm:7.1.6/minimatch": "^3.1.3",
"glob@npm:7.2.3/minimatch": "^3.1.3",
"jake@npm:10.9.2/minimatch": "^3.1.3",
"lerna@npm:8.1.8/minimatch": "^3.1.3",
"multimatch@npm:5.0.0/minimatch": "^3.1.3",
"node-dir@npm:0.1.17/minimatch": "^3.1.3",
"test-exclude@npm:6.0.0/minimatch": "^3.1.3",
"filelist@npm:1.0.4/minimatch": "^5.1.8",
"glob@npm:8.1.0/minimatch": "^5.1.8",
"readdir-glob@npm:1.1.3/minimatch": "^5.1.8",
"glob@npm:9.3.5/minimatch": "^8.0.6",
"@expo/cli@npm:0.24.11/minimatch": "^9.0.7",
"@expo/cli@npm:54.0.22/minimatch": "^9.0.7",
"@expo/fingerprint@npm:0.12.4/minimatch": "^9.0.7",
"@expo/fingerprint@npm:0.15.4/minimatch": "^9.0.7",
"@expo/metro-config@npm:0.20.13/minimatch": "^9.0.7",
"@expo/metro-config@npm:54.0.14/minimatch": "^9.0.7",
"@npmcli/arborist@npm:7.5.4/minimatch": "^9.0.7",
"@npmcli/map-workspaces@npm:3.0.6/minimatch": "^9.0.7",
"@nx/devkit@npm:19.6.4/minimatch": "^9.0.7",
"@sentry/node@npm:10.31.0/minimatch": "^9.0.7",
"@tufjs/models@npm:2.0.1/minimatch": "^9.0.7",
"@typescript-eslint/typescript-estree@npm:6.21.0/minimatch": "^9.0.7",
"@typescript-eslint/typescript-estree@npm:7.18.0/minimatch": "^9.0.7",
"@typescript-eslint/typescript-estree@npm:8.50.0/minimatch": "^9.0.7",
"@typescript-eslint/typescript-estree@npm:8.54.0/minimatch": "^9.0.7",
"editorconfig@npm:1.0.4/minimatch": "^9.0.7",
"glob@npm:10.4.1/minimatch": "^9.0.7",
"glob@npm:10.4.5/minimatch": "^9.0.7",
"ignore-walk@npm:6.0.5/minimatch": "^9.0.7",
"npm-run-all2@npm:6.2.2/minimatch": "^9.0.7",
"nx@npm:19.6.4/minimatch": "^9.0.7",
"webdriverio@npm:8.40.5/minimatch": "^9.0.7",
"glob@npm:13.0.0/minimatch": "^10.2.3",
"axios": "^1.13.5",
"fast-xml-parser": "^5.3.6",
"form-data": "4.0.5",
Expand All @@ -83,7 +133,8 @@
"tar-fs": "^3.1.1",
"on-headers": "^1.1.0",
"diff": "^5.2.2",
"tar": "^7.5.8"
"tar": "^7.5.8",
"tmp": "^0.2.4"
Copy link
Copy Markdown

@cursor cursor Bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unscoped tmp resolution silently breaks pinned consumers

Medium Severity

The PR's stated purpose is patching minimatch ReDoS vulnerabilities using scoped resolutions to avoid forcing all consumers to a single version. However, "tmp": "^0.2.4" is added as an unscoped resolution, which forces every package in the tree that depends on tmp — including external-editor@3.1.0 and @expo/devcert, which both explicitly pin tmp@^0.0.33 — to use tmp@0.2.5. The range ^0.0.33 covers only >=0.0.33 <0.0.34, making 0.2.5 a major compatibility jump. tmp@0.0.x depends on the os-tmpdir npm package (which is also removed from the lockfile entirely), while tmp@0.2.x uses the built-in os.tmpdir(), with differences in option handling and the removed tmp.tmpdir property. This change is not documented in the PR description and contradicts the PR's own stated rationale for using scoped resolutions.

Fix in Cursor Fix in Web

Triggered by project rule: PR Review Guidelines for Cursor Bot

},
"version": "0.0.0",
"name": "sentry-react-native",
Expand Down
143 changes: 51 additions & 92 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6921,22 +6921,6 @@ __metadata:
languageName: node
linkType: hard

"@isaacs/balanced-match@npm:^4.0.1":
version: 4.0.1
resolution: "@isaacs/balanced-match@npm:4.0.1"
checksum: 102fbc6d2c0d5edf8f6dbf2b3feb21695a21bc850f11bc47c4f06aa83bd8884fde3fe9d6d797d619901d96865fdcb4569ac2a54c937992c48885c5e3d9967fe8
languageName: node
linkType: hard

"@isaacs/brace-expansion@npm:^5.0.0":
version: 5.0.1
resolution: "@isaacs/brace-expansion@npm:5.0.1"
dependencies:
"@isaacs/balanced-match": ^4.0.1
checksum: 21f8192f022c320f7acf899730feb419b1a5f4ccc741481ef8f4b3111e97a41c06e5783871bb240da2e87de909c7fc5b0d07f73818db521fee06541c086ea351
languageName: node
linkType: hard

"@isaacs/cliui@npm:^8.0.2":
version: 8.0.2
resolution: "@isaacs/cliui@npm:8.0.2"
Expand Down Expand Up @@ -15030,6 +15014,13 @@ __metadata:
languageName: node
linkType: hard

"balanced-match@npm:^4.0.2":
version: 4.0.4
resolution: "balanced-match@npm:4.0.4"
checksum: fb07bb66a0959c2843fc055838047e2a95ccebb837c519614afb067ebfdf2fa967ca8d712c35ced07f2cd26fc6f07964230b094891315ad74f11eba3d53178a0
languageName: node
linkType: hard

"bare-events@npm:^2.2.0":
version: 2.4.2
resolution: "bare-events@npm:2.4.2"
Expand Down Expand Up @@ -15310,6 +15301,24 @@ __metadata:
languageName: node
linkType: hard

"brace-expansion@npm:^2.0.2":
version: 2.0.2
resolution: "brace-expansion@npm:2.0.2"
dependencies:
balanced-match: ^1.0.0
checksum: 01dff195e3646bc4b0d27b63d9bab84d2ebc06121ff5013ad6e5356daa5a9d6b60fa26cf73c74797f2dc3fbec112af13578d51f75228c1112b26c790a87b0488
languageName: node
linkType: hard

"brace-expansion@npm:^5.0.2":
version: 5.0.4
resolution: "brace-expansion@npm:5.0.4"
dependencies:
balanced-match: ^4.0.2
checksum: ded86c0f0b138734110d67437fee52c1f97bc19175644788b1d71afec2d87d405cf05424ce428f88ae3abe8e09e13ee55f2675534b38076ef70e1e583ed75686
languageName: node
linkType: hard

"braces@npm:^3.0.3, braces@npm:~3.0.2":
version: 3.0.3
resolution: "braces@npm:3.0.3"
Expand Down Expand Up @@ -26368,75 +26377,48 @@ __metadata:
languageName: node
linkType: hard

"minimatch@npm:2 || 3, minimatch@npm:^3.0.2, minimatch@npm:^3.0.4, minimatch@npm:^3.0.5, minimatch@npm:^3.1.1, minimatch@npm:^3.1.2":
version: 3.1.2
resolution: "minimatch@npm:3.1.2"
"minimatch@npm:^10.2.3":
version: 10.2.4
resolution: "minimatch@npm:10.2.4"
dependencies:
brace-expansion: "npm:^1.1.7"
checksum: c154e566406683e7bcb746e000b84d74465b3a832c45d59912b9b55cd50dee66e5c4b1e5566dba26154040e51672f9aa450a9aef0c97cfc7336b78b7afb9540a
brace-expansion: ^5.0.2
checksum: 56dce6b04c6b30b500d81d7a29822c108b7d58c46696ec7332d04a2bd104a5cb69e5c7ce93e1783dc66d61400d831e6e226ca101ac23665aff32ca303619dc3d
languageName: node
linkType: hard

"minimatch@npm:3.0.5":
version: 3.0.5
resolution: "minimatch@npm:3.0.5"
"minimatch@npm:^3.1.3":
version: 3.1.5
resolution: "minimatch@npm:3.1.5"
dependencies:
brace-expansion: "npm:^1.1.7"
checksum: a3b84b426eafca947741b864502cee02860c4e7b145de11ad98775cfcf3066fef422583bc0ffce0952ddf4750c1ccf4220b1556430d4ce10139f66247d87d69e
brace-expansion: ^1.1.7
checksum: 47ef6f412c08be045a7291d11b1c40777925accf7252dc6d3caa39b1bfbb3a7ea390ba7aba464d762d783265c644143d2c8a204e6b5763145024d52ee65a1941
languageName: node
linkType: hard

"minimatch@npm:9.0.1":
version: 9.0.1
resolution: "minimatch@npm:9.0.1"
"minimatch@npm:^5.1.8":
version: 5.1.9
resolution: "minimatch@npm:5.1.9"
dependencies:
brace-expansion: "npm:^2.0.1"
checksum: 97f5f5284bb57dc65b9415dec7f17a0f6531a33572193991c60ff18450dcfad5c2dad24ffeaf60b5261dccd63aae58cc3306e2209d57e7f88c51295a532d8ec3
brace-expansion: ^2.0.1
checksum: 418438bd7701ba811f1108f28fcd3a638a6065c7b1245b85e25bcdb674410b4bebd8763c90c91bc8d22d93260c02cc129b354267a463c3399be5732d6e11e120
languageName: node
linkType: hard

"minimatch@npm:9.0.3":
version: 9.0.3
resolution: "minimatch@npm:9.0.3"
"minimatch@npm:^8.0.6":
version: 8.0.7
resolution: "minimatch@npm:8.0.7"
dependencies:
brace-expansion: "npm:^2.0.1"
checksum: 253487976bf485b612f16bf57463520a14f512662e592e95c571afdab1442a6a6864b6c88f248ce6fc4ff0b6de04ac7aa6c8bb51e868e99d1d65eb0658a708b5
brace-expansion: ^2.0.1
checksum: edaefeb16297f4f3969287913adb04c12c5683f2bd8610c6d6bfd5aa5b98bbbfd6013a2d0bb24df62e8add9c265128df1bfdbb61bb043ef4aa86b449fc2a9c76
languageName: node
linkType: hard

"minimatch@npm:^10.1.1":
version: 10.1.1
resolution: "minimatch@npm:10.1.1"
dependencies:
"@isaacs/brace-expansion": ^5.0.0
checksum: 8820c0be92994f57281f0a7a2cc4268dcc4b610f9a1ab666685716b4efe4b5898b43c835a8f22298875b31c7a278a5e3b7e253eee7c886546bb0b61fb94bca6b
languageName: node
linkType: hard

"minimatch@npm:^5.0.1, minimatch@npm:^5.1.0":
version: 5.1.6
resolution: "minimatch@npm:5.1.6"
dependencies:
brace-expansion: "npm:^2.0.1"
checksum: 7564208ef81d7065a370f788d337cd80a689e981042cb9a1d0e6580b6c6a8c9279eba80010516e258835a988363f99f54a6f711a315089b8b42694f5da9d0d77
languageName: node
linkType: hard

"minimatch@npm:^8.0.2":
version: 8.0.4
resolution: "minimatch@npm:8.0.4"
dependencies:
brace-expansion: "npm:^2.0.1"
checksum: 2e46cffb86bacbc524ad45a6426f338920c529dd13f3a732cc2cf7618988ee1aae88df4ca28983285aca9e0f45222019ac2d14ebd17c1edadd2ee12221ab801a
languageName: node
linkType: hard

"minimatch@npm:^9.0.0, minimatch@npm:^9.0.4, minimatch@npm:^9.0.5":
version: 9.0.5
resolution: "minimatch@npm:9.0.5"
"minimatch@npm:^9.0.7":
version: 9.0.9
resolution: "minimatch@npm:9.0.9"
dependencies:
brace-expansion: "npm:^2.0.1"
checksum: 2c035575eda1e50623c731ec6c14f65a85296268f749b9337005210bb2b34e2705f8ef1a358b188f69892286ab99dc42c8fb98a57bde55c8d81b3023c19cea28
brace-expansion: ^2.0.2
checksum: 5292681ba1e14544ca9214ba5e412bb346214fb783354b22752f2d1e5c176e4a2c0bfcafeb1046389b816009ab73ba5410b176ce605632e8aa695db25f87f6b9
languageName: node
linkType: hard

Expand Down Expand Up @@ -27707,13 +27689,6 @@ __metadata:
languageName: node
linkType: hard

"os-tmpdir@npm:~1.0.2":
version: 1.0.2
resolution: "os-tmpdir@npm:1.0.2"
checksum: 5666560f7b9f10182548bf7013883265be33620b1c1b4a4d405c25be2636f970c5488ff3e6c48de75b55d02bde037249fe5dbfbb4c0fb7714953d56aed062e6d
languageName: node
linkType: hard

"outvariant@npm:^1.2.1, outvariant@npm:^1.4.0":
version: 1.4.3
resolution: "outvariant@npm:1.4.3"
Expand Down Expand Up @@ -32931,29 +32906,13 @@ __metadata:
languageName: node
linkType: hard

"tmp@npm:^0.0.33":
version: 0.0.33
resolution: "tmp@npm:0.0.33"
dependencies:
os-tmpdir: "npm:~1.0.2"
checksum: 902d7aceb74453ea02abbf58c203f4a8fc1cead89b60b31e354f74ed5b3fb09ea817f94fb310f884a5d16987dd9fa5a735412a7c2dd088dd3d415aa819ae3a28
languageName: node
linkType: hard

"tmp@npm:^0.2.1":
"tmp@npm:^0.2.4":
version: 0.2.5
resolution: "tmp@npm:0.2.5"
checksum: 9d18e58060114154939930457b9e198b34f9495bcc05a343bc0a0a29aa546d2c1c2b343dae05b87b17c8fde0af93ab7d8fe8574a8f6dc2cd8fd3f2ca1ad0d8e1
languageName: node
linkType: hard

"tmp@npm:^0.2.3, tmp@npm:~0.2.1":
version: 0.2.3
resolution: "tmp@npm:0.2.3"
checksum: 73b5c96b6e52da7e104d9d44afb5d106bb1e16d9fa7d00dbeb9e6522e61b571fbdb165c756c62164be9a3bbe192b9b268c236d370a2a0955c7689cd2ae377b95
languageName: node
linkType: hard

"tmpl@npm:1.0.5":
version: 1.0.5
resolution: "tmpl@npm:1.0.5"
Expand Down
Loading