minimatch Patches 3 High-Severity ReDoS Vulnerabilities

In February, GitHub issued three High severity security advisories for the npm package minimatch, highlighting vulnerabilities that could lead to Regular Expression Denial of Service (ReDoS) and event loop starvation in Node.js environments. These vulnerabilities, identified as CVE-2026-27904, CVE-2026-27903, and CVE-2026-26996, affect various glob pattern evaluations, potentially impacting a wide array of JavaScript projects that rely on minimatch as a foundational dependency. The issues can be exploited through nested extglobs, GLOBSTAR patterns, and repeated wildcards, each causing significant execution delays. Despite the risks, Socket has collaborated with minimatch maintainer Isaac Schlueter to release free certified patches, enabling users to mitigate these vulnerabilities without a full dependency upgrade. The patches are designed to target the specific vulnerabilities while maintaining the package's overall functionality, essential for projects that may be unknowingly exposed through transitive dependencies.