aws-cdk-lib: depends on vulnerable minimatch (<10.2.3)

[jaidyn-adapptor]

Describe the bug

aws-cdk-lib currently depends on a vulnerable version of minimatch (<10.2.3), which is affected by 2 high severity ReDoS vulnerabilities:

GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

These vulnerabilities are flagged by npm audit in projects using aws-cdk-lib.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

aws-cdk-lib should upgrade to a non-vulnerable version of minimatch (>= 10.2.1), or update the dependency chain so that vulnerable versions are no longer pulled in.

Current Behavior

minimatch  10.0.0 - 10.2.2
Severity: high
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/aws-cdk-lib/node_modules/minimatch
  aws-cdk-lib  >=2.240.0
  Depends on vulnerable versions of minimatch
  node_modules/aws-cdk-lib

Reproduction Steps

Run npm audit

Possible Solution

Update minimatch version to 10.2.3.

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.240.0

AWS CDK CLI version

2.1107.0 (build e51b1ae)

Node.js Version

25.3.0

OS

macOS 26.3

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi @jaidyn-adapptor,

Issue at a Glance

┌─────────────────────────┐     ┌─────────────────────────┐
│ aws-cdk-lib@2.240.0     │ ──> │ minimatch@^10.2.2       │
│ package.json             │     │ resolves to 10.2.2      │
└─────────────────────────┘     └─────────────────────────┘
                                          │
                                          v
                                ┌─────────────────────────┐
                                │ Vulnerable range:        │
                                │ >= 10.0.0, < 10.2.3     │
                                │ 2 high ReDoS advisories  │
                                └─────────────────────────┘
                                          │
                                          v
                                ┌─────────────────────────┐
                                │ Fix: bump to ^10.2.3     │
                                │ PR #37101 (open)         │
                                └─────────────────────────┘

Thanks for reporting this. It appears this is a valid issue — aws-cdk-lib currently pins minimatch@^10.2.2, which falls within the vulnerable range for both GHSA-7r86-cg39-jmmj and GHSA-23c5-xmqv-rm74.

This was reproduced locally by running npm audit on a fresh project with aws-cdk-lib@2.240.0.

The previous issue #37027 addressed an earlier advisory (GHSA-3ppc-4f35-3m26) by bumping to ^10.2.1, but these two new advisories require >= 10.2.3.

Good news — Dependabot has already opened PR #37101 which bumps minimatch from 10.2.2 to 10.2.3. Once that PR is merged and a new release is cut, this should be resolved.

In the meantime, you can work around this by adding an overrides field in your project's package.json:

"overrides": {
  "minimatch": "^10.2.3"
}

Bringing this up to the team for visibility.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.