Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork1.6k
Add wildcard pattern support for core modules#3200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
Add support for wildcard patterns in import/core-modules setting, allowing* to match multiple modules like @my-monorepo/* or@My-*/*.🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>
Prevent '*' pattern from matching all modules, which would disabledependency analysis and create security vulnerabilities.- Add safety check for bare wildcard patterns- Add comprehensive test coverage for security edge cases- Ensure valid wildcard patterns still work correctly
Enhance security validation to catch a broader range of dangerouswildcard patterns that could disable dependency analysis:- Block double wildcards (**)- Block overly broad patterns (*/*)- Block regex-style wildcards (.*)- Block patterns that are too short and broad (a*, *a)- Block multiple wildcards except for valid @namespace/* patterns- Add comprehensive test coverage for all dangerous patterns- Maintain support for legitimate use casesThis prevents accidental or malicious disabling of ESLint'sdependency analysis while preserving intended functionality.
codecovbot commentedJul 18, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@## main #3200 +/- ##===========================================+ Coverage 82.25% 95.63% +13.38%=========================================== Files 94 83 -11 Lines 4283 3689 -594 Branches 1478 1332 -146 ===========================================+ Hits 3523 3528 +5+ Misses 760 161 -599 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| if(pattern.startsWith('.*')){returntrue;}// Regex wildcards | ||
| if(pattern.endsWith('.*')){returntrue;}// Regex wildcards |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
what about[\s\S]*? we shouldn't be adding a dynamic regex patternanywhere - it's a CVE magnet. To add this support, we should be using globs, and micromatch/minimatch/etc (whichever one we're already using)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Good call! Lookin into it. 🙏🏼
- Replace dangerous [\s\S]*? regex patterns with minimatch glob matching- Eliminate all dynamic regex construction in wildcard pattern matching- Use safe string operations instead of regex for wildcard counting- Maintain same functionality while preventing ReDoS vulnerabilitiesAddresses PR feedback about CVE security risks from dynamic regex patterns.🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>
Uh oh!
There was an error while loading.Please reload this page.
Summary
Addresses:#1281
import/core-modulessetting*to match multiple modules like@my-monorepo/*or@my-*/*Changes
src/core/importType.jsto support wildcard pattern matchingTest plan
@my-monorepo/*)@my-*/*)