Security: Vulnerable dependency minimatch@3.1.2 [SNYK-JS-MINIMATCH-15309438, CVE-2026-26996]

[mariuslazarcentrica]

Summary

ember-cli-htmlbars@7.0.0 depends on multiple vulnerable versions of minimatch (3.1.2, 9.0.5), which are vulnerable to Regular Expression Denial of Service (ReDoS) (High severity).

• Snyk Advisory: https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438
• Fix Commit: isaacs/minimatch@2e111f3
• Severity: High

Vulnerability Details

Affected versions of minimatch are vulnerable to ReDoS in the AST class, caused by catastrophic backtracking when an input string contains many * characters in a row followed by an unmatched character.

Example Affected Dependency Paths

minimatch is pulled in through multiple paths in ember-cli-htmlbars@7.0.0:

#	Dependency Path
1	ember-cli-htmlbars → walk-sync@4.0.1 → matcher-collection@2.0.1 → minimatch@3.1.2
2	ember-cli-htmlbars → broccoli-plugin@4.0.7 → rimraf@3.0.2 → glob@7.2.3 → minimatch@3.1.2
3	ember-cli-htmlbars → broccoli-persistent-filter@3.1.3 → rimraf@3.0.2 → glob@7.2.3 → minimatch@3.1.2
4	ember-cli-htmlbars → broccoli-plugin@4.0.7 → quick-temp@0.1.9 → rimraf@5.0.10 → glob@10.5.0 → minimatch@9.0.5
	few more...

Potential Remediation

1. Fix has been given in minimatch to version 10.2.1 or higher. Upgrade transitive dependencies that pull in vulnerable minimatch versions — particularly broccoli-plugin, broccoli-persistent-filter, broccoli-debug, walk-sync, rimraf, and glob — to versions that depend on minimatch@>=10.2.1

References

• https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438
• isaacs/minimatch@2e111f3