Bump minimatch from 3.0.4 to 3.1.5

[dependabot]

Bumps minimatch from 3.0.4 to 3.1.5.

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dg-appsec-cxone]

Checkmarx One – Scan Summary & Details – e0b74987-1f0e-47cc-bd1d-49f6b15780fd

---

New Issues (22)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2025-66418	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2025-66471	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-0775	Npm-npm-6.14.9	details Recommended version: 11.9.0 Description: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges ... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
4		CVE-2026-21441	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-23745	Npm-tar-4.4.13	details Recommended version: 7.5.8 Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
6		CVE-2026-24842	Npm-tar-4.4.13	details Recommended version: 7.5.8 Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-26960	Npm-tar-4.4.13	details Recommended version: 7.5.8 Description: "tar.extract()" in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outsid... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
8		CVE-2026-26996	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2026-27903	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2026-27904	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2026-27959	Npm-koa-2.13.0	details Recommended version: 2.16.4 Description: Koa is middleware for Node.js using ES2017 async functions. Prior to versions 2.16.4 and 3.0.x prior to 3.1.2, Koa's `ctx.hostname` API performs na... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		Cxf5fb15b0-6576	Npm-serialize-javascript-3.1.0	details Description: serialize-javascript through 7.0.2 contains a code injection vulnerability due to improper escaping of "RegExp.flags" during serialization. Althoug... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
13		CVE-2025-13465	Npm-lodash-4.17.19	details Recommended version: 4.17.23 Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14		CVE-2025-14505	Npm-elliptic-6.5.4	details Description: The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
15		CVE-2025-15284	Npm-qs-6.5.2	details Recommended version: 6.5.4 Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16		CVE-2025-64718	Npm-js-yaml-3.14.0	details Recommended version: 3.14.2 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17		CVE-2026-23950	Npm-tar-4.4.13	details Recommended version: 7.5.8 Description: node-tar,a Tar for Node.js, has a race condition vulnerability in versions through 7.5.3. This is due to an incomplete handling of Unicode path col... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
18		CVE-2026-2739	Npm-bn.js-4.12.0	details Recommended version: 4.12.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state,... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		CVE-2026-2739	Npm-bn.js-5.1.2	details Recommended version: 5.2.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state,... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20		CVE-2026-2739	Npm-bn.js-4.11.9	details Recommended version: 4.12.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state,... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		CVE-2025-69873	Npm-ajv-6.12.2	details Recommended version: 6.14.0 Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
22		CVE-2025-69873	Npm-ajv-6.12.6	details Recommended version: 6.14.0 Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR