Fix CVE-2026-27903: upgrade minimatch 5.1.6 → 5.1.9 across all affected tasks#22134
Draft
Copilot wants to merge 3 commits into
Draft
Fix CVE-2026-27903: upgrade minimatch 5.1.6 → 5.1.9 across all affected tasks#22134Copilot wants to merge 3 commits into
Copilot wants to merge 3 commits into
Conversation
|
Azure Pipelines: 3 pipeline(s) require an authorized user to comment /azp run to run. |
Agent-Logs-Url: https://github.com/microsoft/azure-pipelines-tasks/sessions/d4528277-550b-4d8e-a46e-5237be89270a Co-authored-by: sanjuyadav24 <185911972+sanjuyadav24@users.noreply.github.com>
|
Azure Pipelines: 3 pipeline(s) require an authorized user to comment /azp run to run. |
…cted tasks Agent-Logs-Url: https://github.com/microsoft/azure-pipelines-tasks/sessions/d4528277-550b-4d8e-a46e-5237be89270a Co-authored-by: sanjuyadav24 <185911972+sanjuyadav24@users.noreply.github.com>
|
Azure Pipelines: 3 pipeline(s) require an authorized user to comment /azp run to run. |
Copilot
AI
changed the title
[WIP] Fix CVE-2026-27903 in minimatch 5.1.6
Fix CVE-2026-27903: upgrade minimatch 5.1.6 → 5.1.9 across all affected tasks
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Fixes CVE-2026-27903 (High severity ReDoS vulnerability) in
minimatch5.1.6. The vulnerable version was pulled in as a transitive dependency viamocha(^5.1.6) andglob(^5.0.1) across 22+ tasks.Task Name
ANTV1, BicepDeployV0, CargoAuthenticateV0, DotNetCoreCLIV2, DownloadPackageV0, DownloadPackageV1, GradleV2, GradleV3, GradleV4, MavenV2, MavenV3, MavenV4, NpmAuthenticateV0, NpmV0, NpmV1, NuGetCommandV2, NuGetToolInstallerV0, NuGetToolInstallerV1, PipAuthenticateV0, TwineAuthenticateV0, UniversalPackagesV1, UseDotNetV2
Description
"overrides": { "minimatch": "5.1.9" }to each affected task'spackage.jsonto force resolution of the vulnerable transitive deppackage-lock.jsonfiles vianpm install --package-lock-only --ignore-scripts— resolves to 5.1.9 everywhere (mocha/glob nested installs deduped)_buildConfigs/Wiflock files for CargoAuthenticateV0, NpmAuthenticateV0, UniversalPackagesV1_generated/package and lock files for all affected variantsExample of the override pattern applied:
Risk Assessment (Low / Medium / High)
Low — No production logic changed. Only npm dependency resolution is affected:
minimatchis used bymocha(test runner) andglob(file matching); pinning to 5.1.9 stays within the same major version with identical API.Change Behind Feature Flag (Yes / No)
No — dependency version pin, no runtime feature flag applicable.
Tech Design / Approach
overrides(npm 8+) to force all transitive consumers ofminimatchto resolve 5.1.9"5.1.9"(latest 5.x patch) rather than a range to prevent future lock drift back to a vulnerable versionmocharequires^5.1.6andglobrequires^5.0.1; both are satisfied by 5.1.9Documentation Changes Required (Yes/No)
No
Unit Tests Added or Updated (Yes / No)
No — dependency-only change; existing tests cover task behavior.
Additional Testing Performed
Verified via automated scan of all
package-lock.jsonfiles that no resolvedminimatchversion is 5.1.6 after changes.Logging Added/Updated (Yes/No)
No
Telemetry Added/Updated (Yes/No)
No
Rollback Scenario and Process (Yes/No)
Yes — revert PR to restore prior lock files. No runtime state affected.
Dependency Impact Assessed and Regression Tested (Yes/No)
Yes —
minimatch5.1.9 is a patch release over 5.1.6 with no API changes. All consumers (mocha,glob,azure-pipelines-task-lib) are unaffected.Checklist
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
whatsprintis.it/usr/bin/curl curl -s REDACTED pelines-tasks/_g-c peli�� .path // empty pelines-tasks/_generated/CargoAuthenticateV0_Wif/package.json nfig/composer/vendor/bin/grep "minimatch" e.json k/_temp/ghcca-no--noprofile grep -l "minimatch" s-tasks/azure-pipelines-tasks/.g-d de/node/bin/bash s-tasks/azure-pibash s-tasks/azure-pi--norc s-tasks/azure-pi--noprofile s-tasks/azure-pipelines-tasks/ci-c(dns block)/usr/bin/curl curl -v REDACTED grep -l "minimatch" s-tasks/azure-pipelines-tasks/Tasks/GradleV2/package.json /usr/bin/grep "minimatch" /package.json(dns block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
[Component Governance Alert] - CVE-2026-27903 in minimatch 5.1.6. Severity: High
Work Item Details
Note: Please focus on the descriptions and information that provide context about the task requirements, functionality, and implementation details. Dates, priorities, and administrative metadata are less relevant for coding tasks.
Description
See more details about this alert in Component Governance.
No field updates will be made to this work item after its initial creation. This includes:
• State changes: If an alert is fixed in CG, the state will not be updated on the work item. You must close the work item manually.
• Severity changes: If an alert changes in severity, the work item will only reflect the severity at the time of the work item’s creation.
• Service mapping changes: If the repository that generated this work item is moved to another service, tags that indicate ServiceID will not be updated.
• Any other change to the alert in CG
If you're having trouble with an S360 item associated with this work item, read the S360 troubleshooting guide.
For additional information and to understand why this work item was assigned to you, see our work item documentation.
This work item was created for an alert in the following repository: microsoft/azure-pipelines-tasks
Tags
auto-cgtriaged; Azure DevOps; CG; CG Burndown; Component Governance; microsoft/azure-pipelines-tasks
Repro Steps
See more details about this alert in Component Governance.
No field updates will be made to this work item after its initial creation. This includes:
• State changes: If an alert is fixed in CG, the state will not be updated on the work item. You must close the work item manually.
• Severity changes: If an alert changes in severity, the work item will only reflect the severity at the time of the work item’s creation.
• Service mapping changes: If the repository that generated this work item is moved to another service, tags that indicate ServiceID will not be updated.
• Any other change to the alert in CG
If you're having trouble with an S360 item associated with this work item, read the S360 troubleshooting guide.
For additional information and to understand why this work item was assigned to you, see our work item documentation.
This work item was created for an alert in the following repository: microsoft/azure-pipelines-tasks
Comments
GitHub Copilot Coding Agent (Tue, 05 May 2026 15:42:27 GMT): Thank you @ @<Raju Ellendula (LTIMindtree Limited)> for asking me to work on this! I started on the work item, linked !#22133 and I'll update it as I form a plan and make progress.
GitHub Copilot Coding Agent (Tue, 05 May 2026 08:31:53 GMT): @ @<Raju Ellendula (LTIMindtree Limited)> GitHub pull request !#22124 is ready for you to review.
GitHub Copilot Coding Agent (Tue, 05 May 2026 08:27:27 GMT): @ @<Raju Ellendula (LTIMindtree Limited)> GitHub pull request !#22123 is ready for you to review.
GitHub Copilot Coding Agent (Tue, 05 May 2026 08:26:13 GMT): Thank you @ @<Raju Ellendula (LTIMindtree Limited)> for asking me to work on this! I started on the work item, linked !#22124 and I'll update it as I form a plan and make progress.
GitHub Copilot Coding Agent (Tue, 05 May 2026 08:11:30 GMT): Thank you @ @<Raju Ellendula (LTIMindtree Limited)> for asking me to work on this! I started on the work item, linked !#22123 and I'll update it as I form a plan and make progress.
GitHub Copilot Coding Agent (Tue, 05 May 2026 08:05:50 GMT): @ @<Raju Ellendula (LTIMindtree Limited)> GitHub pull request !#22122 is ready for you to review.
GitHub Copilot Coding Agent (Tue, 05 May 2026 08:00:17 GMT): Thank you @ @<Raju Ellendula (LTIMindtree Limited)> for asking me to work on this! I started on the work item, linked !#22122 and I'll update it as I form a plan and make progress.
GitHub Copilot Coding Agent (Tue, 05 May 2026 07:53:15 GMT): @ @<Raju Ellendula (LTIMindtree Limited)> GitHub pull request !#22...
Work item: AB#2362016
Created via Azure DevOps