VYPR

npm package

picomatch

pkg:npm/picomatch

Vulnerabilities (2)

  • CVE-2026-33672MedMar 26, 2026
    affected >= 4.0.0, < 4.0.4fixed 4.0.4

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions

  • CVE-2026-33671HigMar 26, 2026
    affected >= 4.0.0, < 4.0.4fixed 4.0.4

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c