Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Upgrading minimatch version to fix MSRC vulnerability issue#21035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
rishabhmalikMS merged 13 commits intomasterfromusers/rishabhmalik/pkgVersionUpgrade
May 29, 2025

Conversation

@rishabhmalikMS
Copy link
Contributor

@rishabhmalikMSrishabhmalikMS commentedMay 20, 2025
edited
Loading

Context

Upgrading minimatch version to fix MSRC vulnerability issue.
📌How to link to ADO Work Items
AB#2281543

Task Name

ExtractFilesV1, GulpV0, GulpV1, XamarinTestCloudV1

Description

A ReDoS vulnerability exists in the braceExpand function of the minimatch package, which can be exploited using crafted input patterns.
Fix: Upgrade minimatch to version 3.0.5 or later.
ICM link for reference:https://portal.microsofticm.com/imp/v5/incidents/details/31000000365389/summary

Key minimatch v4 changes:

  • ** (globstar) now matches zero or more path segments (previously one or more). We already have pipeline tests using ** patterns, and these are passing, confirming our patterns work as expected with the new globstar behavior.
  • New option: allowWindowsEscape (not used in our code).
  • Fix bug with escaped '@' in patterns (Not related to our implementation)
  • nocase: true is always treated as "magic" (we only use nocase on Windows in our code, which is expected).
  • Internal marker exposure and improved pattern parsing (not relevant to our usage).

Canary runs
ExtractFiles:https://dev.azure.com/canarytest/PipelineTasks/_build/results?buildId=162239&view=results
GulpV0:https://dev.azure.com/canarytest/PipelineTasks/_build/results?buildId=162240&view=results
GulpV1:https://dev.azure.com/canarytest/PipelineTasks/_build/results?buildId=162241&view=results

Risk Assessment (Low / Medium / High)

Medium. Major version upgrade of minimatch package. Tested by running canary tests pipeline and unit tests for updated tests.

Unit Tests Added or Updated (Yes / No)

No new tests added

Additional Testing Performed

Tested by running canary tests pipeline and unit tests for updated tests

Documentation Changes Required (Yes / No)

No

Checklist

  • Related issue linked (if applicable)
  • Task version was bumped — seeversioning guide
  • Verified the task behaves as expected

@rishabhmalikMS
Copy link
ContributorAuthor

/azp run

@rishabhmalikMSrishabhmalikMS changed the titleUsers/rishabhmalik/pkg version upgradeUpgrading minimatch version to fix MSRC vulnerability issueMay 22, 2025
@rishabhmalikMSrishabhmalikMSenabled auto-merge (squash)May 23, 2025 05:51
@MantavyaDh
Copy link
Contributor

Is there any specific reason we are updating to version 3.0.5, the latest version is 10.0.1
Can we have a look at this once.change log

@tarunramsinghani
Copy link
Collaborator

Please do share the canary pipeline links for the tasks changed.

@rishabhmalikMS
Copy link
ContributorAuthor

/azp run

@rishabhmalikMS
Copy link
ContributorAuthor

Is there any specific reason we are updating to version 3.0.5, the latest version is 10.0.1 Can we have a look at this once.change log

Latest versions are causing issues in pattern matching. Hence, we have use v4.

@rishabhmalikMS
Copy link
ContributorAuthor

/azp run

@tarunramsinghani
Copy link
Collaborator

Since we hae updated Major version the Risk should not be Low, and it should atleast be medium, BTW did you check what other changes are there in V4 and validated the task code that the changes does not impact the functionality

@rishabhmalikMS
Copy link
ContributorAuthor

Since we hae updated Major version the Risk should not be Low, and it should atleast be medium, BTW did you check what other changes are there in V4 and validated the task code that the changes does not impact the functionality

Key minimatch v4 changes:

  • ** (globstar) now matches zero or more path segments (previously one or more). We already have pipeline tests using ** patterns, and these are passing, confirming our patterns work as expected with the new globstar behavior.
  • New option: allowWindowsEscape (not used in our code).
  • Fix bug with escaped '@' in patterns (Not related to our implementation)
  • nocase: true is always treated as "magic" (we only use nocase on Windows in our code, which is expected).
  • Internal marker exposure and improved pattern parsing (not relevant to our usage).

@sanjuyadav24
Copy link
Contributor

Hi@rishabhmalikMS
Few of the images skipped in test pipeline, could you please check and re-run the pipeline with all images

@MantavyaDh
Copy link
Contributor

MantavyaDh commentedMay 28, 2025
edited
Loading

Hi@rishabhmalikMS Few of the images skipped in test pipeline, could you please check and re-run the pipeline with all images

I investigated this, it is due to the variables missing those pools which are set in the pipelines,canary pipelines
And these have been skipped in past as well for these tasks. We need to update the variables in the master branch for the tasks that are skipping.

@sanjuyadav24
Copy link
Contributor

Hi@rishabhmalikMS Few of the images skipped in test pipeline, could you please check and re-run the pipeline with all images

I investigated this, it is due to the variables missing those pools which are set in the pipelines,canary pipelines And these have been skipped in past as well for these tasks. We need to update the variables in the master branch for the tasks that are skipping.

okay, lets create a task to update these variables

@rishabhmalikMSrishabhmalikMS merged commit5c77ece intomasterMay 29, 2025
5 checks passed
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@MantavyaDhMantavyaDhMantavyaDh left review comments

@sanjuyadav24sanjuyadav24sanjuyadav24 approved these changes

@tarunramsinghanitarunramsinghaniAwaiting requested review from tarunramsinghanitarunramsinghani is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rishabhmalikMS@MantavyaDh@tarunramsinghani@sanjuyadav24
[8]ページ先頭
©2009-2025 Movatter.jp