Description
@electron/packager@19.0.5 pulls in vulnerable versions of minimatch through its transitive dependencies.
CVE: CVE-2026-26996 / GHSA-3ppc-4f35-3m26
Severity: High (8.7/10 CVSS v4)
Published: February 17, 2026
Fixed in: minimatch@10.2.1
Dependency chains
@electron/packager@19.0.5
→ @electron/universal@3.0.2
→ dir-compare@4.2.0
→ minimatch@3.1.2 (vulnerable)
→ minimatch@9.0.5 (vulnerable)
Vulnerability details
minimatch is vulnerable to ReDoS when a glob pattern contains many consecutive * wildcards followed by a non-matching literal character. Each * compiles to a [^/]*? regex group, causing exponential backtracking. With N=15 wildcards, a single call takes ~2 seconds. With N=34, it hangs forever. Time complexity: O(4^N).
npm audit output
minimatch <10.2.1
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
https://github.com/advisories/GHSA-3ppc-4f35-3m26
Description
@electron/packager@19.0.5pulls in vulnerable versions ofminimatchthrough its transitive dependencies.CVE: CVE-2026-26996 / GHSA-3ppc-4f35-3m26
Severity: High (8.7/10 CVSS v4)
Published: February 17, 2026
Fixed in:
minimatch@10.2.1Dependency chains
Vulnerability details
minimatchis vulnerable to ReDoS when a glob pattern contains many consecutive*wildcards followed by a non-matching literal character. Each*compiles to a[^/]*?regex group, causing exponential backtracking. With N=15 wildcards, a single call takes ~2 seconds. With N=34, it hangs forever. Time complexity: O(4^N).npm audit output