Update minimatch@3.0.4 to minimatch@3.0.5

[akerpelm]

High severity vulnerability in minimatch@3.0.4, update to 3.0.5 per #83

Vulnerability description:
minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). It's possible to cause a denial of service when calling function braceExpand (The regex /\{.*\}/ is vulnerable and can be exploited).

FWIW: Added minimatch@3.0.5 as resolution to package.json file, recursive-readdir continues to work with this update.

[akerpelm]

@jergason sorry to reach out directly, but this vulnerability has been sitting unresolved for some time. Would you mind taking a look? Thanks

[ivantrave]

Thanks for the fix @akerpelm !
It would be nice to have this PR merged soon to solve the high severity vulnerability.
It also would be nice if you please can take a look @jergason . Many thanks!

[bengm]

to avoid future issues, would it make sense to use "^3.0.5" instead?

[bengm]

Thank you for opening this... I was chasing down the same issue.

[bhaginath-tvpt]

@jergason , could you please apply this patch, it's lingering for a long time.

In our react project, react-dev-utils has a transitive dependency on recursive-readdir which uses minimatch 3.0.4 vulnerable version. Maintainer, could you please upgrade minimatch to the latest version?
It's a critical vulnerability in our application.

[sbley]

@jergason Is there anything we can assist you to get this security fix integrated?

[jspraul]

👋 Hello from another automated dependency scan re: CVE-2022-3517!

While we wait, maybe npm overrides can help:

  "overrides": {
    "recursive-readdir@2.2.2": {
      "minimatch@3.0.4": "3.0.5"
    }
  },

If you don't mind minor updates to other dependencies, delete the package-lock.json and npm install to apply the override.

An alternative is to run npm install with a copy of package.json in an otherwise empty folder, then merge just the override back into the original package-lock.json and run npm install on it:

     "node_modules/recursive-readdir/node_modules/minimatch": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "version": "3.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.5.tgz",
+      "integrity": "sha512-tUpxzX0VAzJHjLu0xUfFv1gwVp9ba3IOuRAVH2EGuRW8a5emA2FlACLqiT/lDVtS1W+TGNwqz3sWaNyLgDJWuw==",
       "dependencies": {
         "brace-expansion": "^1.1.7"
       },

Good luck!

[karlhorky]

cc @bnb - saw that you are a collaborator on npm.

[imki123]

@akerpelm @jergason Please merge... minimatch@^3.0.5

[AhmedHulo]

If no owner responds we should consider forking this repository and updating the dependency.

[akerpelm]

@imki123 trust me I would have merged this months ago if I had write access...

[rpoconn]

+1 this needs to be merged.

[bnb]

just tested this locally, tests pass - I can merge this and publish.

[karlhorky]

Thanks @bnb for the merge and publish of recursive-readdir@2.2.3 🙌

[imki123]

Thank you !! 👍