Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MINIMATCH-15309438
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| "glob": "^8.0.3", | ||
| "minimatch": "^5.1.0", | ||
| "glob": "^12.0.0", | ||
| "minimatch": "^10.2.1", |
There was a problem hiding this comment.
Major version bump breaks minimatch default import
High Severity
Upgrading minimatch from ^5.1.0 to ^10.2.1 is a breaking change. The code in packages/utils/src/config.ts uses import minimatch from "minimatch" (a default import), but minimatch v9+ removed the default export and only provides named exports. At runtime, minimatch will be undefined or a module object rather than a callable function, causing the exclude function to crash when it calls minimatch(relativePath, pattern). The import needs to change to import { minimatch } from "minimatch".
| "commander": "^9.3.0", | ||
| "glob": "^8.0.3", | ||
| "minimatch": "^5.1.0", | ||
| "glob": "^12.0.0", |
There was a problem hiding this comment.
Major version bump breaks glob.sync API call
High Severity
Upgrading glob from ^8.0.3 to ^12.0.0 is a breaking change. The code in packages/utils/src/config.ts calls glob.sync(pattern, { cwd: baseDir }), but in glob v10+ the .sync property on the glob function was removed. This will throw TypeError: glob.sync is not a function at runtime. The code needs to switch to importing and calling globSync directly from glob.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/utils/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-MINIMATCH-15309438
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
Note
Medium Risk
Dependency-only change, but major-version bumps to
glob/minimatchcould introduce breaking behavior in config file globbing/exclusion matching used bypackages/utils/src/config.ts.Overview
Upgrades
packages/utilsdependencies toglob@^12andminimatch@^10(fromglob@^8/minimatch@^5) to remediate the Snyk-reported ReDoS vulnerability.No code changes accompany the bumps, but these are major-version upgrades that may affect how entry-point discovery and exclude patterns are resolved at runtime.
Written by Cursor Bugbot for commit 4d18ccf. This will update automatically on new commits. Configure here.