Hi team,
I am opening this issue to report that the current version of minimatch used in this project is vulnerable to a Regular Expression Denial of Service (ReDoS) attack.
Context:
Our organization uses this extension in a production Web IDE environment. Our security policies require us to patch or file exceptions for all High/Critical CVEs. While I understand the extension is well-maintained, we are currently blocked by this specific dependency.
Reference to Previous PR:
I previously opened a PR #477 to address this via npm update, but it was closed. I would be happy to re-open a more targeted PR or help test a fix if you have a specific contribution guideline I should follow!!
Also apologies from my end, I should have opened the issue or discussed this first, before raising the PR.
Question:
Is there a planned release on the roadmap that will address these security dependencies? If not, would you be open to a PR that specifically targets the minimatch upgrade?
Hi team,
I am opening this issue to report that the current version of minimatch used in this project is vulnerable to a Regular Expression Denial of Service (ReDoS) attack.
Context:
Our organization uses this extension in a production Web IDE environment. Our security policies require us to patch or file exceptions for all High/Critical CVEs. While I understand the extension is well-maintained, we are currently blocked by this specific dependency.
Reference to Previous PR:
I previously opened a PR #477 to address this via npm update, but it was closed. I would be happy to re-open a more targeted PR or help test a fix if you have a specific contribution guideline I should follow!!
Also apologies from my end, I should have opened the issue or discussed this first, before raising the PR.
Question:
Is there a planned release on the roadmap that will address these security dependencies? If not, would you be open to a PR that specifically targets the minimatch upgrade?