build(deps): Bump @sentry/node and force minimatch to fix GHSA-3ppc-4f35-3m26#207
build(deps): Bump @sentry/node and force minimatch to fix GHSA-3ppc-4f35-3m26#207
Conversation
…f35-3m26 Two instances of vulnerable minimatch (9.0.0–9.0.5) were present: 1. @sentry/[email protected] pulled in minimatch@^9.0.0 (resolved to 9.0.5) as a production dependency. @sentry/[email protected] drops minimatch entirely, so bumping to that version removes the production-side exposure. @sentry/profiling-node is bumped in lockstep to match. 2. @typescript-eslint/[email protected] (via eslint-config-sentry-app) hard-pins [email protected] (exact, not a range). Yarn v1 selective resolutions cannot override exact-version pins in transitive deps, so a broad resolution "minimatch": "9.0.6" is used instead — the same approach taken for json5. minimatch 9.x exposes the same CJS API as 3.x, so all consumers (eslint, jest, glob, @fastify/otel) remain compatible. All tests pass. Co-Authored-By: Claude <[email protected]>
9.0.6 itself has two additional ReDoS vulnerabilities (GHSA-23c5-xmqv-rm74, GHSA-7r86-cg39-jmmj) caught by the dependency-review CI check. 9.0.9 is the latest 9.x release and has no known advisories. Co-Authored-By: Claude <[email protected]>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| integrity sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg== | ||
| dependencies: | ||
| brace-expansion "^2.0.1" | ||
| brace-expansion "^2.0.2" |
There was a problem hiding this comment.
Broad resolution forces minimatch major version downgrade for @fastify/otel
Medium Severity
The broad "minimatch": "9.0.9" resolution in package.json forces @fastify/[email protected]'s minimatch@^10.0.3 dependency to resolve to 9.0.9, a major version downgrade outside the requested semver range. @fastify/otel is a new production dependency introduced by @sentry/[email protected]. While the core matching API is the same across versions, minimatch 10.x has module format differences (ESM-related brace-expansion changes), and future @fastify/otel updates could rely on 10.x-specific behavior. A scoped resolution (e.g., targeting only the known-vulnerable paths) would be safer than the broad override.
Additional Locations (1)
There was a problem hiding this comment.
The issue is real in theory but not exploitable here. Here's the evidence:
- @fastify/otel uses require('minimatch').minimatch (named export) — this works correctly in 9.0.9:
mm.minimatch: function ✓ - URL patterns work identically between 9.0.9 and 10.x — /api/*, /{a,b}, /api/** all match correctly with 9.0.9.
- @fastify/otel is never instantiated in chartcuterie — the app uses Express, not Fastify. src/instrument.ts only initialises @sentry/node + profiling. @fastify/otel is dead code in this dep tree; its
ignorePaths glob path is never reached at runtime. - The only real difference between 9.x and 10.x is brace-expansion (^2.0.2 → ^4.0.0) and Node.js engine floor. Neither affects URL glob semantics for the patterns @fastify/otel uses.
2 participants
Fix minimatch vulnerability (GHSA-3ppc-4f35-3m26, affects 9.0.0–9.0.5, fixed in 9.0.6) using the same "bump dependants" approach taken for the qs prototype pollution fix.
Two instances of vulnerable minimatch were present:
Production dep — bump the dependant:
@sentry/[email protected]requiredminimatch@^9.0.0, which resolved to the vulnerable 9.0.5.@sentry/[email protected]drops minimatch entirely, removing the production-side exposure.@sentry/profiling-nodeis bumped in lockstep.Dev dep — forced resolution:
@typescript-eslint/[email protected](viaeslint-config-sentry-app) hard-pins[email protected](exact, not a range). The "bump dependants" path here would require upgradingeslint-config-sentry-appfrom 1.x to 2.x (a major version change involving @typescript-eslint 8.x). Instead, a broad"minimatch": "9.0.6"resolution is used — the same pattern as the existingjson5fix. Yarn v1 selective resolutions ("pkg/minimatch": "9.0.6") cannot override exact-version pins in transitive deps, so the broad approach is necessary.minimatch 9.x exposes the same CJS API as 3.x, so all consumers (eslint, jest, glob, @fastify/otel) remain compatible. All tests pass.