check deps/minimatch

[richardlau]

We should check for minimatch vulnerabilities since we have deps/minimatch.

FWIW Context for this was a discussion at Red Hat re. CVE-2026-26996 (which should be addressed by nodejs/node#61830).

[marco-ippolito]

Do minimatch vulns:
https://nvd.nist.gov/vuln/detail/CVE-2026-26996
https://nvd.nist.gov/vuln/detail/CVE-2026-27903
https://nvd.nist.gov/vuln/detail/CVE-2026-27904
affect npm on v20 and v22? @wraithgar

[wraithgar]

v22 should be cleared in any case by nodejs/node#62110.

npm uses minimatch for a lot of things, and many of those things are given items from a package.json directly. Here is most of them:

• parsing workspaces
• parsing :path in npm query
• as part of the untar process in npm diff to filter which files to diff (the positional args are passed to minimatch)

It is also the an underlying tool in glob itself, which is used for:

• finding man files for npm help (no user input here)
• parsing workspaces
• walking the cache (no user input here)
• finding man and bin entries from when normalizing package.json (these paths are user input)