[llvm-bugs] [Bug 184609] [MLIR] Old minimatch dependency causing security alerts

LLVM Bugs via llvm-bugs Wed, 04 Mar 2026 05:34:55 -0800

Issue	184609
Summary	[MLIR] Old minimatch dependency causing security alerts
Labels	mlir
Assignees
Reporter	StephanTLavavej

    MLIR has a `"minimatch": "^3.0.5"` dependency:

https://github.com/llvm/llvm-project/blob/0af2d43e06415ce1e8a5d49e864c3881048dd08b/mlir/utils/vscode/package.json#L43
https://github.com/llvm/llvm-project/blob/0af2d43e06415ce1e8a5d49e864c3881048dd08b/mlir/utils/vscode/package-lock.json#L13


Automated security scanning tools are reporting that this version of minimatch was vulnerable to [CVE-2026-27903][] and [CVE-2026-27904][]. (In my case, MSVC uses llvm-project as a submodule for ASan and libcxx's test suite, which is why Microsoft's scans are looking into LLVM sources.)

Can you update your minimatch dependency? There's a 3.x patch release if you want to remain on that version, or you could potentially move to the latest 10.x release (I don't know if you'd have compatibility issues with other packages, though).

[CVE-2026-27903]: https://nvd.nist.gov/vuln/detail/CVE-2026-27903
[CVE-2026-27904]: https://nvd.nist.gov/vuln/detail/CVE-2026-27904

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 184609] [MLIR] Old minimatch dependency causing security alerts

Reply via email to