NiXTheDev/regexYbot
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases 3 Packages Wiki Activity Actions 1

🔒 Security Audit: Vulnerabilities Detected - 2026-02-23T13:07:28.884Z #60

New issue
Closed
opened 2026-02-23 16:07:29 +03:00 by github-actions[bot] · 2 comments
github-actions[bot] commented 2026-02-23 16:07:29 +03:00 (Migrated from github.com)
Copy link

🔒 Security Audit Report

Date: 2026-02-23T13:07:28.884Z

Audit Output

bun install v1.3.9 (cf6cdbbb)
Resolving dependencies
Resolved, downloaded and extracted [252]
Attempting to install security scanner from npm...
Security scanner installed successfully.
[2026-02-23T13:07:28.264Z] OSV-INFO: Starting OSV scan for 134 packages
[2026-02-23T13:07:28.265Z] OSV-INFO: Scanning 134 unique packages (134 total)
[2026-02-23T13:07:28.710Z] OSV-INFO: Batch query found 2 vulnerabilities across 134 packages
[2026-02-23T13:07:28.710Z] OSV-INFO: Fetching details for 1 vulnerabilities
[2026-02-23T13:07:28.778Z] OSV-INFO: Retrieved 1/1 vulnerability details
[2026-02-23T13:07:28.778Z] OSV-INFO: Processing 1 vulnerabilities against 134 packages
[2026-02-23T13:07:28.779Z] OSV-INFO: Generated 1 security advisories
[2026-02-23T13:07:28.779Z] OSV-INFO: OSV scan completed: 1 advisories found for 134 packages

  FATAL: minimatch
    via @nixthedev/regexybot › eslint › minimatch
    minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
    https://nvd.nist.gov/vuln/detail/CVE-2026-26996

1 advisory (1 fatal)
Installation aborted due to fatal security advisories

Recommended Actions

  • Review the vulnerabilities above
  • Update affected packages using bun update
  • Run bun pm audit fix if available

This issue will be updated if new vulnerabilities are found. Close it after resolving all security issues.

## 🔒 Security Audit Report **Date:** 2026-02-23T13:07:28.884Z ### Audit Output ``` bun install v1.3.9 (cf6cdbbb) Resolving dependencies Resolved, downloaded and extracted [252] Attempting to install security scanner from npm... Security scanner installed successfully. [2026-02-23T13:07:28.264Z] OSV-INFO: Starting OSV scan for 134 packages [2026-02-23T13:07:28.265Z] OSV-INFO: Scanning 134 unique packages (134 total) [2026-02-23T13:07:28.710Z] OSV-INFO: Batch query found 2 vulnerabilities across 134 packages [2026-02-23T13:07:28.710Z] OSV-INFO: Fetching details for 1 vulnerabilities [2026-02-23T13:07:28.778Z] OSV-INFO: Retrieved 1/1 vulnerability details [2026-02-23T13:07:28.778Z] OSV-INFO: Processing 1 vulnerabilities against 134 packages [2026-02-23T13:07:28.779Z] OSV-INFO: Generated 1 security advisories [2026-02-23T13:07:28.779Z] OSV-INFO: OSV scan completed: 1 advisories found for 134 packages FATAL: minimatch via @nixthedev/regexybot › eslint › minimatch minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern https://nvd.nist.gov/vuln/detail/CVE-2026-26996 1 advisory (1 fatal) Installation aborted due to fatal security advisories ``` ### Recommended Actions - Review the vulnerabilities above - Update affected packages using `bun update` - Run `bun pm audit fix` if available This issue will be updated if new vulnerabilities are found. Close it after resolving all security issues.
NiXTheDev commented 2026-02-25 19:22:25 +03:00 (Migrated from github.com)
Copy link

The vulnerability is in minimatch@^9.0.0 which eslint 9.x uses. Need to update eslint to latest version to get minimatch@^9.0.1 which fixes CVE-2026-26996.

Current: eslint@9.39.2 with minimatch@^9.0.0
Fixed: minimatch@^9.0.1 (contains patch for CVE-2026-26996)

The vulnerability is in minimatch@^9.0.0 which eslint 9.x uses. Need to update eslint to latest version to get minimatch@^9.0.1 which fixes CVE-2026-26996. Current: eslint@9.39.2 with minimatch@^9.0.0 Fixed: minimatch@^9.0.1 (contains patch for CVE-2026-26996)
NiXTheDev commented 2026-02-25 19:28:07 +03:00 (Migrated from github.com)
Copy link

Fixed in latest dev branch. The vulnerability in minimatch@^9.0.0 has been resolved by updating to minimatch@^10.2.3. Changes: eslint updated to 9.39.3 (includes minimatch@^9.0.1+), minimatch explicitly pinned to ^10.2.3 in package.json. Security audit now passes. Commit: 60cd83f

Fixed in latest dev branch. The vulnerability in minimatch@^9.0.0 has been resolved by updating to minimatch@^10.2.3. Changes: eslint updated to 9.39.3 (includes minimatch@^9.0.1+), minimatch explicitly pinned to ^10.2.3 in package.json. Security audit now passes. Commit: 60cd83f
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
release
v0.1.10-coldfix1
v0.1.10
v0.1.9
Labels
Clear labels   
Epic
Large tasks/issues, will usually contain sub-issues linked

  
Feature Request

   
HOLD
Blocked or waiting on external dependency

  
audit

   
automerge
Dependabot PRs, automarge PR when checks pass

  
bug
Something isn't working

  
dependencies

   
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
release
This label is for version updates, will trigger a release upon merge into release

  
security

   
wontfix
This will not be worked on

No labels
Epic
Feature Request
HOLD
audit
automerge
bug
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
release
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
NiXTheDev/regexYbot#60
No description provided.