High severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
CVE-2026-26996
Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
minimatch versions ≤10.2.0 are vulnerable to ReDoS via patterns with many consecutive * wildcards, causing exponential backtracking and denial of service.
Vulnerability
Overview
minimatch is a JavaScript glob matching utility used internally by npm. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that does not appear in the test string [1][2]. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits [4]. The time complexity is O(4^N) where N is the number of * characters; with N=15 a single minimatch() call takes ~2 seconds, and with N=34 it hangs effectively forever [2][4].
Exploitation and
Attack Surface
An attacker can trigger the vulnerability by supplying a crafted glob pattern containing many consecutive * wildcards followed by a literal character that does not appear in the target string [4]. No authentication is required if the application exposes glob matching to untrusted input. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS, including file search/filter UIs, .gitignore-style filtering, build tools accepting glob configuration, and APIs that expose glob matching to untrusted input [4].
Impact
Successful exploitation results in a denial of service condition. A single minimatch() call with a()` call with a malicious pattern can consume excessive CPU time, causing the application to become unresponsive or crash [2][4]. The impact is limited to availability; no data confidentiality or integrity is affected.
Mitigation
The issue has been fixed in minimatch version 10.2.1 [2]. The fix coalesces consecutive non-globstar * characters into a single regex group, eliminating the exponential backtracking [3]. Users should upgrade to version 10.2.1 or later. If upgrading is not immediately possible, applications should avoid passing untrusted input as the pattern argument to minimatch() [1][4].
References
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
minimatchnpm | >= 10.0.0, < 10.2.1 | 10.2.1 |
minimatchnpm | >= 9.0.0, < 9.0.6 | 9.0.6 |
minimatchnpm | >= 8.0.0, < 8.0.5 | 8.0.5 |
minimatchnpm | >= 7.0.0, < 7.4.7 | 7.4.7 |
minimatchnpm | >= 6.0.0, < 6.2.1 | 6.2.1 |
minimatchnpm | >= 5.0.0, < 5.1.7 | 5.1.7 |
minimatchnpm | >= 4.0.0, < 4.2.4 | 4.2.4 |
minimatchnpm | < 3.1.3 | 3.1.3 |
Affected products
2- isaacs/minimatchv5Range: < 10.2.1
Patches
12e111f3a79abcoalesce consecutive non-globstar * characters
7 files changed · +105 −94
src/ast.ts+11 −5 modified@@ -633,13 +633,24 @@ export class AST { let escaping = false let re = '' let uflag = false + // multiple stars that aren't globstars coalesce into one * + let inStar = false for (let i = 0; i < glob.length; i++) { const c = glob.charAt(i) if (escaping) { escaping = false re += (reSpecials.has(c) ? '\\' : '') + c continue } + if (c === '*') { + if (inStar) continue + inStar = true + re += noEmpty && /^[*]+$/.test(glob) ? starNoEmpty : star + hasMagic = true + continue + } else { + inStar = false + } if (c === '\\') { if (i === glob.length - 1) { re += '\\\\' @@ -658,11 +669,6 @@ export class AST { continue } } - if (c === '*') { - re += noEmpty && glob === '*' ? starNoEmpty : star - hasMagic = true - continue - } if (c === '?') { re += qmark hasMagic = true
src/index.ts+1 −1 modified@@ -520,7 +520,7 @@ export class Minimatch { // to the right as possible, even if it increases the number // of patterns that we have to process. preprocess(globParts: string[][]) { - // if we're not in globstar mode, then turn all ** into * + // if we're not in globstar mode, then turn ** into * if (this.options.noglobstar) { for (let i = 0; i < globParts.length; i++) { for (let j = 0; j < globParts[i].length; j++) {
tap-snapshots/test/basic.js.test.cjs+22 −22 modified@@ -3440,11 +3440,11 @@ exports[`test/basic.js > TAP > basic tests > makeRe ??? 2`] = ` ` exports[`test/basic.js > TAP > basic tests > makeRe ??**********?****? 1`] = ` -/^(?!\\.)[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/][^/][^/]*?[^/][^/]*?[^/]$/ ` exports[`test/basic.js > TAP > basic tests > makeRe ??**********?****c 1`] = ` -/^(?!\\.)[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/][^/][^/]*?[^/][^/]*?c$/ ` exports[`test/basic.js > TAP > basic tests > makeRe ?.js 1`] = ` @@ -3472,27 +3472,27 @@ exports[`test/basic.js > TAP > basic tests > makeRe ?(x-!(y)|z)b 1`] = ` ` exports[`test/basic.js > TAP > basic tests > makeRe ?***?**** 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?$/ ` exports[`test/basic.js > TAP > basic tests > makeRe ?***?****? 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?[^/]$/ ` exports[`test/basic.js > TAP > basic tests > makeRe ?***?****c 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?c$/ ` exports[`test/basic.js > TAP > basic tests > makeRe ?*****?? 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]$/ +/^(?!\\.)[^/][^/]*?[^/][^/]$/ ` exports[`test/basic.js > TAP > basic tests > makeRe ?*****?c 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]c$/ +/^(?!\\.)[^/][^/]*?[^/]c$/ ` exports[`test/basic.js > TAP > basic tests > makeRe ?************c****?**** 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?$/ +/^(?!\\.)[^/][^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/basic.js > TAP > basic tests > makeRe ?js 1`] = ` @@ -3864,15 +3864,15 @@ exports[`test/basic.js > TAP > basic tests > makeRe ** 3`] = ` ` exports[`test/basic.js > TAP > basic tests > makeRe *****?? 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]$/ +/^(?!\\.)[^/]*?[^/][^/]$/ ` exports[`test/basic.js > TAP > basic tests > makeRe *******? 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/]*?[^/]$/ ` exports[`test/basic.js > TAP > basic tests > makeRe *******c 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/]*?c$/ ` exports[`test/basic.js > TAP > basic tests > makeRe **/.x/** 1`] = ` @@ -3900,7 +3900,7 @@ exports[`test/basic.js > TAP > basic tests > makeRe *\\\\!* 1`] = ` ` exports[`test/basic.js > TAP > basic tests > makeRe *c*?** 1`] = ` -/^(?!\\.)[^/]*?c[^/]*?[^/][^/]*?[^/]*?$/ +/^(?!\\.)[^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/basic.js > TAP > basic tests > makeRe *js 1`] = ` @@ -4044,43 +4044,43 @@ exports[`test/basic.js > TAP > basic tests > makeRe a*[^c] 1`] = ` ` exports[`test/basic.js > TAP > basic tests > makeRe a**?**cd**?**??***k 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?k$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/][^/]*?k$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a**?**cd**?**??***k** 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?k[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/][^/]*?k[^/]*?$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a**?**cd**?**??k 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a**?**cd**?**??k*** 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k[^/]*?$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a*****?c 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]c$/ +/^a[^/]*?[^/]c$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a********???******* 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/][^/][^/]*?$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a*****c*?** 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/][^/]*?[^/]*?$/ +/^a[^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a****c**?**??***** 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?c[^/]*?[^/][^/]*?[^/][^/][^/]*?$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a***c 1`] = ` -/^a[^/]*?[^/]*?[^/]*?c$/ +/^a[^/]*?c$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a*cd**?**??k 1`] = ` -/^a[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k$/ +/^a[^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k$/ ` exports[`test/basic.js > TAP > basic tests > makeRe a/.*/b 1`] = `
tap-snapshots/test/escape-has-magic.js.test.cjs+22 −22 modified@@ -163,7 +163,7 @@ exports[`test/escape-has-magic.js > TAP > ??**********?****? 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]$/, + /^(?!\\.)[^/][^/][^/]*?[^/][^/]*?[^/]$/, ], ], true, @@ -174,7 +174,7 @@ exports[`test/escape-has-magic.js > TAP > ??**********?****c 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?c$/, + /^(?!\\.)[^/][^/][^/]*?[^/][^/]*?c$/, ], ], true, @@ -251,7 +251,7 @@ exports[`test/escape-has-magic.js > TAP > ?***?**** 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?$/, + /^(?!\\.)[^/][^/]*?[^/][^/]*?$/, ], ], true, @@ -262,7 +262,7 @@ exports[`test/escape-has-magic.js > TAP > ?***?****? 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]$/, + /^(?!\\.)[^/][^/]*?[^/][^/]*?[^/]$/, ], ], true, @@ -273,7 +273,7 @@ exports[`test/escape-has-magic.js > TAP > ?***?****c 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?c$/, + /^(?!\\.)[^/][^/]*?[^/][^/]*?c$/, ], ], true, @@ -284,7 +284,7 @@ exports[`test/escape-has-magic.js > TAP > ?*****?? 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]$/, + /^(?!\\.)[^/][^/]*?[^/][^/]$/, ], ], true, @@ -295,7 +295,7 @@ exports[`test/escape-has-magic.js > TAP > ?*****?c 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]c$/, + /^(?!\\.)[^/][^/]*?[^/]c$/, ], ], true, @@ -306,7 +306,7 @@ exports[`test/escape-has-magic.js > TAP > ?************c****?**** 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?$/, + /^(?!\\.)[^/][^/]*?c[^/]*?[^/][^/]*?$/, ], ], true, @@ -1388,7 +1388,7 @@ exports[`test/escape-has-magic.js > TAP > *****?? 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]$/, + /^(?!\\.)[^/]*?[^/][^/]$/, ], ], true, @@ -1399,7 +1399,7 @@ exports[`test/escape-has-magic.js > TAP > *******? 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]$/, + /^(?!\\.)[^/]*?[^/]$/, ], ], true, @@ -1410,7 +1410,7 @@ exports[`test/escape-has-magic.js > TAP > *******c 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c$/, + /^(?!\\.)[^/]*?c$/, ], ], true, @@ -1493,7 +1493,7 @@ exports[`test/escape-has-magic.js > TAP > *c*?** 1`] = ` Array [ Array [ Array [ - /^(?!\\.)[^/]*?c[^/]*?[^/][^/]*?[^/]*?$/, + /^(?!\\.)[^/]*?c[^/]*?[^/][^/]*?$/, ], ], true, @@ -1897,7 +1897,7 @@ exports[`test/escape-has-magic.js > TAP > a**?**cd**?**??***k 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?k$/, + /^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/][^/]*?k$/, ], ], true, @@ -1908,7 +1908,7 @@ exports[`test/escape-has-magic.js > TAP > a**?**cd**?**??***k** 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?k[^/]*?[^/]*?$/, + /^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/][^/]*?k[^/]*?$/, ], ], true, @@ -1919,7 +1919,7 @@ exports[`test/escape-has-magic.js > TAP > a**?**cd**?**??k 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k$/, + /^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k$/, ], ], true, @@ -1930,7 +1930,7 @@ exports[`test/escape-has-magic.js > TAP > a**?**cd**?**??k*** 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k[^/]*?[^/]*?[^/]*?$/, + /^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k[^/]*?$/, ], ], true, @@ -1941,7 +1941,7 @@ exports[`test/escape-has-magic.js > TAP > a*****?c 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]c$/, + /^a[^/]*?[^/]c$/, ], ], true, @@ -1952,7 +1952,7 @@ exports[`test/escape-has-magic.js > TAP > a********???******* 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?$/, + /^a[^/]*?[^/][^/][^/][^/]*?$/, ], ], true, @@ -1963,7 +1963,7 @@ exports[`test/escape-has-magic.js > TAP > a*****c*?** 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/][^/]*?[^/]*?$/, + /^a[^/]*?c[^/]*?[^/][^/]*?$/, ], ], true, @@ -1974,7 +1974,7 @@ exports[`test/escape-has-magic.js > TAP > a****c**?**??***** 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?$/, + /^a[^/]*?c[^/]*?[^/][^/]*?[^/][^/][^/]*?$/, ], ], true, @@ -1985,7 +1985,7 @@ exports[`test/escape-has-magic.js > TAP > a***c 1`] = ` Array [ Array [ Array [ - /^a[^/]*?[^/]*?[^/]*?c$/, + /^a[^/]*?c$/, ], ], true, @@ -1996,7 +1996,7 @@ exports[`test/escape-has-magic.js > TAP > a*cd**?**??k 1`] = ` Array [ Array [ Array [ - /^a[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k$/, + /^a[^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k$/, ], ], true,
tap-snapshots/test/optimization-level-0.ts.test.cjs+22 −22 modified@@ -3440,11 +3440,11 @@ exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ??? 2`] = ` ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ??**********?****? 1`] = ` -/^(?!\\.)[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/][^/][^/]*?[^/][^/]*?[^/]$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ??**********?****c 1`] = ` -/^(?!\\.)[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/][^/][^/]*?[^/][^/]*?c$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?.js 1`] = ` @@ -3472,27 +3472,27 @@ exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?(x-!(y)|z)b ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?***?**** 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?***?****? 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?[^/]$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?***?****c 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?c$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?*****?? 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]$/ +/^(?!\\.)[^/][^/]*?[^/][^/]$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?*****?c 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]c$/ +/^(?!\\.)[^/][^/]*?[^/]c$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?************c****?**** 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?$/ +/^(?!\\.)[^/][^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ?js 1`] = ` @@ -3864,15 +3864,15 @@ exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe ** 3`] = ` ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe *****?? 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]$/ +/^(?!\\.)[^/]*?[^/][^/]$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe *******? 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/]*?[^/]$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe *******c 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/]*?c$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe **/.x/** 1`] = ` @@ -3900,7 +3900,7 @@ exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe *\\\\!* 1`] = ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe *c*?** 1`] = ` -/^(?!\\.)[^/]*?c[^/]*?[^/][^/]*?[^/]*?$/ +/^(?!\\.)[^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe *js 1`] = ` @@ -4044,43 +4044,43 @@ exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a*[^c] 1`] = ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a**?**cd**?**??***k 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?k$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/][^/]*?k$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a**?**cd**?**??***k** 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?k[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/][^/]*?k[^/]*?$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a**?**cd**?**??k 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a**?**cd**?**??k*** 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k[^/]*?$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a*****?c 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]c$/ +/^a[^/]*?[^/]c$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a********???******* 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/][^/][^/]*?$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a*****c*?** 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/][^/]*?[^/]*?$/ +/^a[^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a****c**?**??***** 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?c[^/]*?[^/][^/]*?[^/][^/][^/]*?$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a***c 1`] = ` -/^a[^/]*?[^/]*?[^/]*?c$/ +/^a[^/]*?c$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a*cd**?**??k 1`] = ` -/^a[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k$/ +/^a[^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k$/ ` exports[`test/optimization-level-0.ts > TAP > basic tests > makeRe a/.*/b 1`] = `
tap-snapshots/test/optimization-level-2.ts.test.cjs+22 −22 modified@@ -3440,11 +3440,11 @@ exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ??? 2`] = ` ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ??**********?****? 1`] = ` -/^(?!\\.)[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/][^/][^/]*?[^/][^/]*?[^/]$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ??**********?****c 1`] = ` -/^(?!\\.)[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/][^/][^/]*?[^/][^/]*?c$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?.js 1`] = ` @@ -3472,27 +3472,27 @@ exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?(x-!(y)|z)b ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?***?**** 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?***?****? 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?[^/]$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?***?****c 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/][^/]*?[^/][^/]*?c$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?*****?? 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]$/ +/^(?!\\.)[^/][^/]*?[^/][^/]$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?*****?c 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]c$/ +/^(?!\\.)[^/][^/]*?[^/]c$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?************c****?**** 1`] = ` -/^(?!\\.)[^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/]*?[^/]*?$/ +/^(?!\\.)[^/][^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ?js 1`] = ` @@ -3864,15 +3864,15 @@ exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe ** 3`] = ` ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe *****?? 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/]$/ +/^(?!\\.)[^/]*?[^/][^/]$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe *******? 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]$/ +/^(?!\\.)[^/]*?[^/]$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe *******c 1`] = ` -/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c$/ +/^(?!\\.)[^/]*?c$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe **/.x/** 1`] = ` @@ -3900,7 +3900,7 @@ exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe *\\\\!* 1`] = ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe *c*?** 1`] = ` -/^(?!\\.)[^/]*?c[^/]*?[^/][^/]*?[^/]*?$/ +/^(?!\\.)[^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe *js 1`] = ` @@ -4044,43 +4044,43 @@ exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a*[^c] 1`] = ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a**?**cd**?**??***k 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?k$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/][^/]*?k$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a**?**cd**?**??***k** 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?k[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/][^/]*?k[^/]*?$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a**?**cd**?**??k 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a**?**cd**?**??k*** 1`] = ` -/^a[^/]*?[^/]*?[^/][^/]*?[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k[^/]*?$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a*****?c 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]c$/ +/^a[^/]*?[^/]c$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a********???******* 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/][^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?[^/][^/][^/][^/]*?$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a*****c*?** 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/][^/]*?[^/]*?$/ +/^a[^/]*?c[^/]*?[^/][^/]*?$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a****c**?**??***** 1`] = ` -/^a[^/]*?[^/]*?[^/]*?[^/]*?c[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/][^/]*?[^/]*?[^/]*?[^/]*?[^/]*?$/ +/^a[^/]*?c[^/]*?[^/][^/]*?[^/][^/][^/]*?$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a***c 1`] = ` -/^a[^/]*?[^/]*?[^/]*?c$/ +/^a[^/]*?c$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a*cd**?**??k 1`] = ` -/^a[^/]*?cd[^/]*?[^/]*?[^/][^/]*?[^/]*?[^/][^/]k$/ +/^a[^/]*?cd[^/]*?[^/][^/]*?[^/][^/]k$/ ` exports[`test/optimization-level-2.ts > TAP > basic tests > makeRe a/.*/b 1`] = `
test/the-sky-is-full-of-stars-at-least-100.ts+5 −0 added@@ -0,0 +1,5 @@ +import t from 'tap' +import { Minimatch } from '../src/index.js' +const me = 'a/*/b' +const sky = 'a/' + '*'.repeat(100) + '/b' +t.strictSame(new Minimatch(sky).set, new Minimatch(me).set)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-3ppc-4f35-3m26ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26996ghsaADVISORY
- github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5ghsax_refsource_MISCWEB
- github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.