Summary
The "Audit Main Package" job in the Dependency Vulnerability Audit workflow failed on commit c15f7ec9590641921f34229d4afbe4db534b537a.
This is a recurrence of the same issue previously tracked in #1074 (closed as "not_planned").
Failed Step
Step 8: Run npm audit (fail on high/critical)
npm audit --audit-level=high
Vulnerabilities Found
🔴 High Severity — minimatch (10.0.0 - 10.2.2)
Two ReDoS vulnerabilities:
- GHSA-7r86-cg39-jmmj:
matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
- GHSA-23c5-xmqv-rm74: Nested
*() extglobs generate catastrophically backtracking regular expressions
Fix available via npm audit fix.
🟡 Moderate Severity — ajv (<6.14.0 || >=7.0.0-alpha.0 <8.18.0)
- GHSA-2g4f-4pwh-qvx6: ReDoS when using
$data option
- Found in:
node_modules/@commitlint/config-validator/node_modules/ajv, node_modules/ajv
Note: ajv is moderate severity and does not cause the audit to fail (threshold is high/critical), but is worth tracking.
Root Cause
The minimatch package in the main package's dependency tree has been updated to a version range (10.0.0–10.2.2) that contains two high-severity ReDoS vulnerabilities. The audit enforces --audit-level=high, so the job exits with code 1.
The recent commit c15f7ec fixed the rollup vulnerability in docs-site, but the main package minimatch issue remains unresolved.
Recommended Actions
- Run
npm audit fix in the root package to update minimatch to a patched version
- Verify the fix doesn't introduce breaking changes
- Commit the updated
package-lock.json
cd /path/to/gh-aw-firewall
npm audit fix
npm test # verify nothing broken
git add package-lock.json
git commit -m "fix(deps): resolve high-severity minimatch ReDoS vulnerability"
🏥 Automatically investigated by CI Doctor
Generated by CI Doctor
Summary
The "Audit Main Package" job in the Dependency Vulnerability Audit workflow failed on commit
c15f7ec9590641921f34229d4afbe4db534b537a.This is a recurrence of the same issue previously tracked in #1074 (closed as "not_planned").
Failed Step
Step 8: Run npm audit (fail on high/critical)
Vulnerabilities Found
🔴 High Severity — minimatch (10.0.0 - 10.2.2)
Two ReDoS vulnerabilities:
matchOne()combinatorial backtracking via multiple non-adjacent GLOBSTAR segments*()extglobs generate catastrophically backtracking regular expressionsFix available via
npm audit fix.🟡 Moderate Severity — ajv (<6.14.0 || >=7.0.0-alpha.0 <8.18.0)
$dataoptionnode_modules/@commitlint/config-validator/node_modules/ajv,node_modules/ajvRoot Cause
The
minimatchpackage in the main package's dependency tree has been updated to a version range (10.0.0–10.2.2) that contains two high-severity ReDoS vulnerabilities. The audit enforces--audit-level=high, so the job exits with code 1.The recent commit
c15f7ecfixed the rollup vulnerability indocs-site, but the main packageminimatchissue remains unresolved.Recommended Actions
npm audit fixin the root package to updateminimatchto a patched versionpackage-lock.json🏥 Automatically investigated by CI Doctor