{"id":11332,"library":"minimatch","title":"Glob Pattern Matcher","description":"Minimatch is a JavaScript utility library that provides robust glob matching functionality, converting glob expressions into JavaScript `RegExp` objects for efficient pattern matching. It is famously used internally by npm for its file system operations. The current stable version is 10.2.5, with releases typically occurring as needed to address bugs, enhance features, or align with npm's requirements. Key features include support for brace expansion, extended glob matching, globstar (`**`), and Posix character classes (e.g., `[[:alpha:]]`), which are Unicode-aware. A critical aspect of minimatch is its explicit warning regarding Regular Expression Denial of Service (ReDoS) vulnerabilities, advising users to never use untrusted input as glob patterns due to the inherent risks of RegExp-based matching. It also provides specific guidance for Windows users, emphasizing the exclusive use of forward slashes in glob expressions to avoid misinterpretation of backslashes as escape characters.","status":"active","version":"10.2.5","language":"javascript","source_language":"en","source_url":"ssh://git@github.com/isaacs/minimatch","tags":["javascript","typescript"],"install":[{"cmd":"npm install minimatch","lang":"bash","label":"npm"},{"cmd":"yarn add minimatch","lang":"bash","label":"yarn"},{"cmd":"pnpm add minimatch","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"Minimatch is a named export, not a default export.","wrong":"import minimatch from 'minimatch'","symbol":"minimatch","correct":"import { minimatch } from 'minimatch'"},{"note":"When using CommonJS require, the `minimatch` function is a named property of the module object, requiring destructuring.","wrong":"const minimatch = require('minimatch')","symbol":"minimatch (CJS)","correct":"const { minimatch } = require('minimatch')"},{"note":"For advanced usage or pre-compiling patterns, the `Minimatch` class can be imported. The class name is capitalized.","wrong":"import { minimatch } from 'minimatch'; new minimatch(...)","symbol":"Minimatch class","correct":"import { Minimatch } from 'minimatch'"}],"quickstart":{"code":"import { minimatch, Minimatch } from 'minimatch';\n\n// Basic usage\nconsole.log(minimatch('foo/bar/baz.js', 'foo/**/baz.js')); // true\nconsole.log(minimatch('foo/bar/file.txt', '*.txt'));       // false (needs path)\nconsole.log(minimatch('file.txt', '*.txt'));               // true\n\n// With options: debug and nobrace\nconst pattern = 'a/{b,c}/d';\nconst options = { debug: false, nobrace: false };\nconsole.log(minimatch('a/b/d', pattern, options)); // true\nconsole.log(minimatch('a/c/d', pattern, options)); // true\n\n// Using the Minimatch class for pre-compiled patterns\nconst mm = new Minimatch('src/**/*.ts', { matchBase: true });\nconsole.log(mm.match('src/components/button.ts')); // true\nconsole.log(mm.match('dist/index.js'));             // false\n\n// Example with Posix character classes (Unicode aware)\nconsole.log(minimatch('é', '[[:alpha:]]')); // true\nconsole.log(minimatch('123', '[[:digit:]]')); // false\n","lang":"typescript","description":"Demonstrates basic glob matching, usage with options, and pre-compiling patterns with the `Minimatch` class, including Unicode-aware Posix character classes."},"warnings":[{"fix":"Never use user-provided input directly as a glob pattern without rigorous sanitization or whitelisting. Consider alternative matching strategies for untrusted inputs that do not rely on RegExp.","message":"Glob patterns derived from untrusted user input can lead to Regular Expression Denial of Service (ReDoS) attacks due to the library's reliance on JavaScript regular expressions. This is an inherent risk for any RegExp-based matcher.","severity":"gotcha","affected_versions":"all"},{"fix":"Always normalize paths to use forward slashes (`/`) before passing them to minimatch as patterns. For example, use `path.posix.normalize(myPath)` or `myPath.replace(/\\\\/g, '/')` for pattern construction.","message":"On Windows, glob expressions must exclusively use forward slashes ('/') as path separators. Backslashes ('\\') will always be interpreted as escape characters within patterns, leading to incorrect matching.","severity":"gotcha","affected_versions":"all"},{"fix":"Upgrade your Node.js runtime to a compatible version (18, 20, or >=22) to use minimatch version 10 and above.","message":"This package requires Node.js version 18, 20, or greater than or equal to 22. Older Node.js versions are not supported.","severity":"breaking","affected_versions":"<18.0.0"},{"fix":"For the latest ReDoS mitigations (when available), upgrade to the newest major version of minimatch. Be aware that older versions will not receive such security updates.","message":"Future versions of minimatch may introduce a different matching algorithm to mitigate ReDoS. These improvements will NOT be backported to legacy versions. Any future ReDoS reports against older versions will be considered 'working as intended' due to inherent RegExp limitations.","severity":"deprecated","affected_versions":"<10.0.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Review glob pattern sources. If patterns originate from user input, implement strict sanitization or whitelisting. Avoid using complex patterns with untrusted input.","cause":"A complex or maliciously crafted glob pattern caused excessive backtracking in the underlying regular expression engine, leading to a ReDoS condition.","error":"RangeError: Maximum call stack size exceeded"},{"fix":"Ensure all glob patterns consistently use forward slashes (`/`) as path separators, even when running on Windows. Convert any `\\` to `/` in the pattern string.","cause":"On Windows, backslashes (`\\`) in glob patterns are interpreted as escape characters, not path separators, causing patterns like `foo\\bar` to match `foo\\bar` exactly, not `foo/bar`.","error":"Glob pattern with backslashes on Windows does not match expected files."},{"fix":"Use a named import for ESM: `import { minimatch } from 'minimatch'`. For CommonJS, use destructuring: `const { minimatch } = require('minimatch')`.","cause":"Attempting to use `minimatch` as a default import (e.g., `import minimatch from 'minimatch'`) or without destructuring in CommonJS (e.g., `const minimatch = require('minimatch')`).","error":"TypeError: minimatch is not a function OR TypeError: minimatch is not iterable"}],"ecosystem":"npm"}