Skip to content

Update dependency micromatch to v4 [SECURITY] #9207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency micromatch to v4 [SECURITY] #9207

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 13, 2025

This PR contains the following updates:

Package Change Age Confidence
micromatch ^2.3.11 -> ^4.0.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-4067

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Release Notes

micromatch/micromatch (micromatch)

v4.0.8

Compare Source

v4.0.7

Compare Source

  • this is basically v4.0.5, with some README updates
  • it is vulnerable to CVE-2024-4067
  • Updated braces to v3.0.3 to avoid CVE-2024-4068
  • does NOT break API compatibility

v4.0.6

Compare Source

  • Added hasBraces to check if a pattern contains braces.
  • Fixes CVE-2024-4067
  • BREAKS API COMPATIBILITY
  • Should be labeled as a major release, but it's not.

v4.0.5

Compare Source

v4.0.4

Compare Source

v4.0.3

Compare Source

  • Enforce newer version of picomatch with bugfixes

v4.0.2

Compare Source

v4.0.1

Compare Source

v4.0.0

Compare Source

Added
  • Adds support for options.onMatch. See the readme for details
  • Adds support for options.onIgnore. See the readme for details
  • Adds support for options.onResult. See the readme for details
Breaking changes
  • Require Node.js >= 8.6
  • Removed support for passing an array of brace patterns to micromatch.braces().
  • To strictly enforce closing brackets (for {, [, and (), you must now use strictBrackets=true instead of strictErrors.
  • cache - caching and all related options and methods have been removed
  • options.unixify was renamed to options.windows
  • options.nodupes Was removed. Duplicates are always removed by default. You can override this with custom behavior by using the onMatch, onResult and onIgnore functions.
  • options.snapdragon was removed, as snapdragon is no longer used.
  • options.sourcemap was removed, as snapdragon is no longer used, which provided sourcemap support.

v3.1.10

Compare Source

v3.1.9

Compare Source

v3.1.8

Compare Source

v3.1.7

Compare Source

v3.1.6

Compare Source

v3.1.5

Compare Source

v3.1.4

Compare Source

v3.1.3

Compare Source

v3.1.2

Compare Source

v3.1.1

Compare Source

v3.1.0

Compare Source

v3.0.5

Compare Source

v3.0.4

Compare Source

v3.0.3

Compare Source

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

Complete overhaul, with 36,000+ new unit tests validated against actual output generated by Bash and minimatch. More specifically, 35,000+ of the tests:

  • micromatch results are directly compared to bash results
  • in rare cases, when micromatch and bash disagree, micromatch's results are compared to minimatch's results
  • micromatch is much more accurate than minimatch, so there were cases where I had to make assumptions. I'll try to document these.

This refactor introduces a parser and compiler that are supersets of more granular parsers and compilers from other sub-modules. Each of these sub-modules has a singular responsibility and focuses on a certain type of matching that aligns with a specific part of the Bash "expansion" API.

These sub-modules work like plugins to seamlessly create the micromatch parser/compiler, so that strings are parsed in one pass, an AST is created, then a new string is generated by the compiler.

Here are those sub-modules with links to related prs on those modules if you want to see how they contribute to this code:

nanomatch (new library) - glob expansion (*, **, ? and [...]))
braces - brace expansion ({1..10}, {a,b,c}, etc)
extglob - extended globs (!(a|b), @(!(foo|bar)), etc)
expand-brackets - POSIX character classes [[:alpha:][:digit:]]

Added

  • source map support (optionally created when using parse or compile - I have no idea what the use case is yet, but they come for free) (note that source maps are not generated for brace expansion at present, since the braces compiler uses a different strategy. I'll update if/when this changes).
  • parser is exposed, so that implementors can customize or override specific micromatch parsers if necessary
  • compiler is exposed, so that implementors can customize or override specific micromatch compilers if necessary

Fixed

  • more accurate matching (passes 100% of Bash 4.3 of the brace expansion and extglob unit tests, as well as all Bash glob tests that are relevant to node.js usage, all minimatch tests, all brace-expansion tests, and also passes a couple of tests that bash fails)
  • even safer - micromatch has always generated optimized patterns so it's not subject to DoS exploits like minimatch (completely different than the regex DoS issue, minimatch and multimatch are still openly exposed to being used for DoS attacks), but more safeguards were built into this refactor

Changed

  • the public API of this library did not change in this version and should be safe to upgrade without changing implentor code. However, we have released this as a major version for the following reasons:
    • out of an abundance of caution due to the large amount of code changed in this release
    • we have improved parser accuracy to such a degree that some implementors using invalid globs have noted change in behavior. If this is the case for you, please check that you are using a valid glob expression before logging a bug with this library

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants