chore: bump version of minimatch due to security issue PRISMA-2022-0039

[opravil-jan]

Prerequisites checklist

• I have read the contributing guidelines.

What is the purpose of this pull request? (put an "X" next to an item)

[ ] Documentation update
[ ] Bug fix (template)
[ ] New rule (template)
[ ] Changes an existing rule (template)
[ ] Add autofix to a rule
[ ] Add a CLI option
[ ] Add something to the core
[x ] Other, please explain: fixing security issue by bump package version

What changes did you make? (Give an overview)

Is there anything you'd like reviewers to focus on?

[nzakas]

Can you please link the security bulletin so we can review?

[opravil-jan]

Hi,
here is print screen from out vulnerability management Prisma with link to code

Link to the repo where it is describe and fix: isaacs/minimatch@a8763f4
Link to bounty where the vulnerability was discussed: https://huntr.dev/bounties/e4e1393c-d590-4492-9f43-8be3f3321629/

[nzakas]

Can you link to the CVE directly? The code doesn’t tell us anything.

[opravil-jan]

Vulnerability management: https://www.paloaltonetworks.com/prisma/cloud

Link to the repo where it is describe and fix: isaacs/minimatch@a8763f4
Link to bounty where the vulnerability was discussed: https://huntr.dev/bounties/e4e1393c-d590-4492-9f43-8be3f3321629/

[nzakas]

Thanks. We need to coordinate this with changes in the main repo.

Note that the vulnerability does not affect ESLint users because it’s not a server application accepting unknown inputs.

[snitin315]

I tried this PR against the latest main branch of eslint, all tests seem to pass - snitin315/eslint#1

[nzakas]

Thanks! Can you try creating a draft pull request to the main repo with your work so the CI will trigger? We had failures in the main repo on the PR that makes this same upgrade directly in the eslint repo.

[mdjermanovic]

While the following usage apparently isn't covered by the test cases, and perhaps isn't something we intended to support, I've just tried it with the current ESLint v8.14.0 and it works on Windows (I'm getting no-undef errors in foo\bar.js file):

module.exports = {
    overrides: [{
        files: ["foo\\bar.js"],
        rules: {
            "no-undef": "error"
        }
    }]
};

However, when I replace minimatch v3 with minimatch v5, it doesn't work anymore.

This seems like a risky change, so maybe we could leave it for the next major version, and in the meantime just update the dependency requirement to "minimatch": "^3.1.2" if that will fix the security issue?

[nzakas]

This seems like a risky change, so maybe we could leave it for the next major version, and in the meantime just update the dependency requirement to "minimatch": "^3.1.2" if that will fix the security issue?

Agree, though I’d add let’s wait for the new config system before risking a major upgrade.

[mdjermanovic]

It seems we agree to postpone using minimatch v5.

@opravil-jan can you update this PR and eslint/eslint#15774 to minimatch v3.1.2?

[opravil-jan]

Hi, for me it is okay. Thank you guys