chore: bump minimatch to 10.2.3 to fix vulnerability (#5675)

nnnnoel · web-flow · commit e35bece4e15a · 2026-03-08T19:31:50.000-04:00
* fix(security): bump minimatch to 10.2.3

* update

* rush change

* fix comment

* fix comment

---------

Co-authored-by: Noel Kim &lt;nnnnoel@users.noreply.github.com&gt;
diff --git a/apps/api-extractor/package.json b/apps/api-extractor/package.json
@@ -71,7 +71,7 @@
     "@rushstack/ts-command-line": "workspace:*",
     "diff": "~8.0.2",
     "lodash": "~4.17.23",
-    "minimatch": "10.2.1",
+    "minimatch": "10.2.3",
     "resolve": "~1.22.1",
     "semver": "~7.5.4",
     "source-map": "~0.6.1",
diff --git a/common/changes/@microsoft/api-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json b/common/changes/@microsoft/api-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json
@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@microsoft/api-extractor",
+      "comment": "Bump `minimatch` version from `10.2.1` to `10.2.3` to address CVE-2026-27903.",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@microsoft/api-extractor"
+}
diff --git a/common/changes/@rushstack/package-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json b/common/changes/@rushstack/package-extractor/fix-minimatch-vulnerability_2026-02-27-10-51.json
@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/package-extractor",
+      "comment": "Bump `minimatch` version from `10.2.1` to `10.2.3` to address CVE-2026-27903.",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@rushstack/package-extractor"
+}
diff --git a/common/changes/@rushstack/webpack4-localization-plugin/fix-minimatch-vulnerability_2026-02-27-10-51.json b/common/changes/@rushstack/webpack4-localization-plugin/fix-minimatch-vulnerability_2026-02-27-10-51.json
@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/webpack4-localization-plugin",
+      "comment": "Bump `minimatch` version from `10.2.1` to `10.2.3` to address CVE-2026-27903.",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@rushstack/webpack4-localization-plugin"
+}
diff --git a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml
diff --git a/common/config/subspaces/build-tests-subspace/repo-state.json b/common/config/subspaces/build-tests-subspace/repo-state.json
@@ -1,6 +1,6 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "c7fc0d748fad95ed6142faa9eaff041335b3fc17",
+  "pnpmShrinkwrapHash": "c395a90b30bd67a31beb1d1b08be9aecb02de265",
   "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9",
-  "packageJsonInjectedDependenciesHash": "c79f0a961494e6e313bb0ec2c8fe0433cb6baaf5"
+  "packageJsonInjectedDependenciesHash": "8410b26d03a38d02cb52140340c78128eb2e5fdd"
 }
diff --git a/common/config/subspaces/default/common-versions.json b/common/config/subspaces/default/common-versions.json
@@ -35,7 +35,7 @@
     "eslint": "~9.37.0",
 
     // Updated minimatch and its types to latest major version to resolve ReDoS vulnerability
-    "minimatch": "10.2.1"
+    "minimatch": "10.2.3"
   },
 
   /**
diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml
diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json
@@ -1,5 +1,5 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "332ad6b0bd71bdfb6f4ae69270e34275b8dc2f1e",
-  "preferredVersionsHash": "93bf435032db8da4a18734f1eaa359c12ad147c1"
+  "pnpmShrinkwrapHash": "0778382a980762005a055ec6e76ca8cc37d447f1",
+  "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c"
 }
diff --git a/libraries/package-extractor/package.json b/libraries/package-extractor/package.json
@@ -46,7 +46,7 @@
     "@rushstack/ts-command-line": "workspace:*",
     "ignore": "~5.1.6",
     "jszip": "~3.8.0",
-    "minimatch": "10.2.1",
+    "minimatch": "10.2.3",
     "npm-packlist": "~5.1.3",
     "semver": "~7.5.4"
   },
diff --git a/webpack/webpack4-localization-plugin/package.json b/webpack/webpack4-localization-plugin/package.json
@@ -60,7 +60,7 @@
     "@rushstack/terminal": "workspace:*",
     "@types/tapable": "1.0.6",
     "loader-utils": "1.4.2",
-    "minimatch": "10.2.1"
+    "minimatch": "10.2.3"
   },
   "devDependencies": {
     "@rushstack/heft": "workspace:*",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`// DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.`
`2`	`2`	`{`
`3`		`- "pnpmShrinkwrapHash": "c7fc0d748fad95ed6142faa9eaff041335b3fc17",`
	`3`	`+ "pnpmShrinkwrapHash": "c395a90b30bd67a31beb1d1b08be9aecb02de265",`
`4`	`4`	`"preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9",`
`5`		`- "packageJsonInjectedDependenciesHash": "c79f0a961494e6e313bb0ec2c8fe0433cb6baaf5"`
	`5`	`+ "packageJsonInjectedDependenciesHash": "8410b26d03a38d02cb52140340c78128eb2e5fdd"`
`6`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`// DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.`
`2`	`2`	`{`
`3`		`- "pnpmShrinkwrapHash": "332ad6b0bd71bdfb6f4ae69270e34275b8dc2f1e",`
`4`		`- "preferredVersionsHash": "93bf435032db8da4a18734f1eaa359c12ad147c1"`
	`3`	`+ "pnpmShrinkwrapHash": "0778382a980762005a055ec6e76ca8cc37d447f1",`
	`4`	`+ "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c"`
`5`	`5`	`}`