You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a direct dependency in packages/opencode/package.json. The practical concern is slow glob matching from crafted patterns. I am not claiming active exploitation in opencode.
A small fix is available: bump packages/opencode to minimatch@10.2.5, which also matches the version already used by packages/core.
I opened PR #34140 with that focused dependency update.
Plugins
None
OpenCode version
Current dev branch dependency metadata
Steps to reproduce
Check packages/opencode/package.json for minimatch.
Description
packages/opencodecurrently pinsminimatch@10.0.3, which is in the affected range for these public ReDoS advisories:This is a direct dependency in
packages/opencode/package.json. The practical concern is slow glob matching from crafted patterns. I am not claiming active exploitation in opencode.A small fix is available: bump
packages/opencodetominimatch@10.2.5, which also matches the version already used bypackages/core.I opened PR #34140 with that focused dependency update.
Plugins
None
OpenCode version
Current
devbranch dependency metadataSteps to reproduce
packages/opencode/package.jsonforminimatch.10.0.3against the affected ranges in GHSA-3ppc-4f35-3m26 and GHSA-23c5-xmqv-rm74.10.2.5.Screenshot and/or share link
Not applicable.
Operating System
Not OS-specific.
Terminal
Not terminal-specific.