Skip to content

[V3-1-test] Fix minimatch ReDoS vulnerabilities via pnpm overrides#62805

Merged
vincbeck merged 2 commits intoapache:v3-1-testfrom
astronomer:backport-62796
Mar 3, 2026
Merged

[V3-1-test] Fix minimatch ReDoS vulnerabilities via pnpm overrides#62805
vincbeck merged 2 commits intoapache:v3-1-testfrom
astronomer:backport-62796

Conversation

@pierrejeambrun
Copy link
Member

@pierrejeambrun pierrejeambrun commented Mar 3, 2026

Update pnpm overrides to patch minimatch ReDoS vulnerabilities (CVE for matchOne() combinatorial backtracking and nested extglobs) across three UI manifests:

  • airflow-core/src/airflow/ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
  • simple-auth-manager-ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
  • react-plugin-template: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@pierrejeambrun
Fix minimatch ReDoS vulnerabilities via pnpm overrides
b94ce4f 
Update pnpm overrides to patch minimatch ReDoS vulnerabilities
(CVE for matchOne() combinatorial backtracking and nested extglobs)
across three UI manifests:
- airflow-core/src/airflow/ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
- simple-auth-manager-ui: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
- react-plugin-template: add overrides for <3.1.4, >=9.0.0 <9.0.7, >=10.0.0 <10.2.3
@boring-cyborg boring-cyborg bot added area:API Airflow's REST/HTTP API area:dev-tools area:UI Related to UI/UX. For Frontend Developers. backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch labels Mar 3, 2026
@pierrejeambrun pierrejeambrun changed the title Fix minimatch ReDoS vulnerabilities via pnpm overrides [V3-1-test] Fix minimatch ReDoS vulnerabilities via pnpm overrides Mar 3, 2026
@pierrejeambrun pierrejeambrun mentioned this pull request Mar 3, 2026
Open
1 task
@pierrejeambrun
Constrain minimatch overrides to major version ranges
d9ea016 
The minimatch overrides used open-ended ranges (e.g. >=3.1.4) which
allowed pnpm to resolve 3.x consumers to 10.x, breaking the API
(minimatch 10.x uses named exports, 3.x uses a default function).
Constrain to >=3.1.4 <4.0.0 and >=9.0.7 <10.0.0 respectively.
@vatsrahul1001 vatsrahul1001 added this to the Airflow 3.1.8 milestone Mar 3, 2026
@vatsrahul1001 vatsrahul1001 added the type:misc/internal Changelog: Misc changes that should appear in change log label Mar 3, 2026
@vincbeck vincbeck merged commit b77ab9a into apache:v3-1-test Mar 3, 2026
88 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk potiuk approved these changes

@vatsrahul1001 vatsrahul1001 vatsrahul1001 approved these changes

@vincbeck vincbeck vincbeck approved these changes

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API area:dev-tools area:UI Related to UI/UX. For Frontend Developers. backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch type:misc/internal Changelog: Misc changes that should appear in change log

Projects

None yet

Milestone

Airflow 3.1.8

Development

Successfully merging this pull request may close these issues.

4 participants

@pierrejeambrun @potiuk @vatsrahul1001 @vincbeck