Update minimatch to fix vulnerability CVE-2016-10540 [1.x]

[nutjob4life]

I unfortunately have to ship Plone to government sites which use the Twistlock scanner to check Docker images for vulnerabilities.

Plone 5.2.2's plone.staticresources-1.3.2 includes one such vulnerability: CVE-2016-10540. The issue is that minimatch is at version 0.3.0, but should be ≥ 3.0.2.

The data from Twistlock is:

• CVE ID: CVE-2016-10540
• Type: Javascript
• Severity: high
• Packages: minimatch
• Package version: 0.3.0
• Fix status fixed in ≥ 3.0.2
• Risk factors: Attack complexity: low, Attack vector: network, DoS, Has fix, High severity
• Description: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

[mauritsvanrees]

I have updated the issue title. When you say "images" I think of photos, not of Docker images. :-)

(I am not the right person to fix this issue though.)

[thet]

There should be an updated plone.staticresources at the end of the Plone 6 UI sprint end this week/early next week.

[nutjob4life]

Thank you both @mauritsvanrees @thet

(Yeah, context matters. I've been "swimming in the Docker pool" for the past several weeks and so "image" and "container" have taken on entirely new meanings for me 😅)

[petschki]

For Plone 6 this can be closed ... should there be a security patch for Plone 5.2 ?