Security: Vulnerable dependency minimatch@3.1.2 [SNYK-JS-MINIMATCH-15309438, CVE-2026-26996]

[mariuslazarcentrica]

Summary

ember-cli-babel@8.3.1 depends on multiple vulnerable versions of minimatch (3.1.2, 8.0.4, 9.0.5), which are vulnerable to Regular Expression Denial of Service (ReDoS) (High severity).

• Snyk Advisory: https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438
• Fix Commit: isaacs/minimatch@2e111f3
• Severity: High

Vulnerability Details

Affected versions of minimatch are vulnerable to ReDoS in the AST class, caused by catastrophic backtracking when an input string contains many * characters in a row followed by an unmatched character.

Example Affected Dependency Paths

minimatch is pulled in through 21 paths in ember-cli-babel@8.3.1. Key paths grouped by vulnerable version:

#	Dependency Path
1	ember-cli-babel → babel-plugin-module-resolver@5.0.2 → glob@9.3.5 → minimatch@8.0.4
2	ember-cli-babel → broccoli-funnel@3.0.8 → minimatch@3.1.2
3	ember-cli-babel → broccoli-funnel@3.0.8 → walk-sync@2.2.0 → minimatch@3.1.2
	few more...

Potential Remediation

1. Fix has been given in minimatch to version 10.2.1 or higher. Upgrade transitive dependencies that pull in vulnerable minimatch versions — broccoli-funnel, broccoli-plugin, broccoli-persistent-filter, broccoli-debug, walk-sync, rimraf, glob, and babel-plugin-module-resolver — to versions that depend on minimatch@>=10.2.1

References

• https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438
• isaacs/minimatch@2e111f3