Update minimatch in deps

[gjasny]

Version

HEAD

Platform

any

Subsystem

No response

What steps will reproduce the bug?

Right now the minimatch dependency that is vendored into the deps directory is at version 3.0.4:

grep '"version"' deps/npm/node_modules/minimatch/package.json
  "version": "3.0.4",

Unfortunately that version is reported as vulnerable to a redos attack:

     Description : minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). It\'s possible to cause a
       denial of service when calling function braceExpand (The regex /\\{.*\\}/ is vulnerable and can be exploited).

The last npm update PR in #42039 did not (automatically) raise the minimatch dependency.

Could you please update minimatch in v17 and v16 and release new versions?

How often does it reproduce? Is there a required condition?

always

What is the expected behavior?

Minimatch is updated to at least version 3.0.5.

What do you see instead?

Minimatch is at 3.0.4.

Additional information

No response

[mscdex]

This should be posted to the npm issue tracker instead.

[gjasny]

@mscdex npm itself has a relaxed dependency on minimatch:

root@ab36c616b81d:/nodejs/lib# grep -r minimatch .|grep package.json
./node_modules/npm/node_modules/glob/package.json:    "minimatch": "^3.0.4",
./node_modules/npm/node_modules/libnpmdiff/package.json:    "minimatch": "^3.0.4",
./node_modules/npm/node_modules/ignore-walk/package.json:    "minimatch": "^3.0.4"
./node_modules/npm/node_modules/@npmcli/map-workspaces/package.json:    "minimatch": "^3.0.4",

Therefore I thought the problem is with the vendoring of the npm dependency into the nodejs repo. Somehow it did not update minimatch to the latest allowed version.

Do you happen to know where the script that populates deps is stored? Is the process documented somewhere?

[Trott]

Do you happen to know where the script that populates deps is stored? Is the process documented somewhere?

The process is described in https://github.com/nodejs/node/blob/45b5ca810a16074e639157825c1aa2e90d60e9f6/doc/contributing/maintaining-npm.md but I'm not sure how up to date it is because we don't do it manually anymore. There is a bot that does it and it is all handled by the @nodejs/npm team.

[mscdex]

@gjasny npm itself checks in a lot of its own dependencies, including minimatch, which is currently at version 3.0.4 in the npm repo.

[wraithgar]

we can't update minimatch till we patch a fix for the thing that was a breaking change, namely the handling of backslashes for globs. You can see an example in one of the cli deps that have already been updated here.

[mateBe95]

@wraithgar is this fixed version of minimatch available in nodeJS 16.14.1?

[wraithgar]

This is fixed in npm@8.5.3 It landed in this repo 8 days ago