minimatch is a minimal JavaScript glob matching utility. It converts glob expressions into JavaScript RegExp objects and is useful for testing paths against glob patterns, including features like brace expansion, extended globs, and `**` globstar matching. The project notes a security warning about ReDoS risk if patterns are derived from untrusted user input.
Project status
- Actively maintained? Yes, there are recent updates (last upstream push 2026-03-30, newest update v10.2.5 on 2026-03-30). This indicates ongoing maintenance rather than a dormant state.
- Apparent update cadence: In early 2026 there were multiple updates clustered around 2026-02-25 to 2026-03-30 (roughly 2+ months ago from today), suggesting a burst of activity rather than a steady monthly cadence.
AI summary generated 2026-06-11
Recent updates
v10.2.5
2026-03-30Release v10.2.5 has no published release notes. The code diff shows a Windows-specific glob matching behavior fix related to how '..' segments are optimized/collapsed, plus several non-behavioral typing/linting/CI and dependency updates.
v9.0.9
2026-02-26No release notes were provided for v9.0.9. The code diff shows substantial internal changes to globstar and extglob parsing and matching behavior, plus new configuration knobs intended to mitigate worst-case performance.
BreakingSecurityFeaturesv7.4.9
2026-02-25Release v7.4.9 primarily changes the runtime matching behavior for Minimatch when the `partial` option is enabled, particularly around how `**` (globstar) segments are sliced and how match success is determined. It also updates README.md with a prominent ReDoS warning and refreshes package-lock.json with a large dependency churn.
Securityv8.0.7
2026-02-25v8.0.7 makes targeted changes to Minimatch's handling of globstar patterns when the { partial: true } option is enabled. The release notes field is empty (no publisher notes were provided), but the diff shows both a behavior change in matching logic and a new security warning added to the README.
Securityv9.0.8
2026-02-25Release v9.0.8 (published 2026-02-25) has no publisher release notes provided. The code diff shows a targeted change to Minimatch glob matching behavior when the { partial: true } option is enabled, along with expanded test coverage and a README documentation update.
v10.2.4
2026-02-25v10.2.4 appears to focus on improving glob matching behavior when the `partial` option is enabled, plus adding an explicit ReDoS security warning to the README. The release notes section is empty, so the functional changes seen in the code and tests are not documented.
Securityv7.4.8
2026-02-25Release v7.4.8 was published on 2026-02-25, but no release notes were provided. As a result, there is no documented information about new features, bug fixes, security updates, or breaking changes in this release.
v8.0.6
2026-02-25v8.0.6 is a major internal refactor of minimatch’s extglob handling, introducing a new AST-based recursive descent parser that changes how extglobs are compiled to regex. The publisher release notes are missing in the provided data, so the notable behavioral and platform changes below are effectively undocumented.
SecurityFeaturesv9.0.7
2026-02-25Release v9.0.7 makes substantial internal changes to glob parsing and matching (especially around globstar and extglob handling), and it also updates the package build and distribution setup. The release notes section provided here is empty, so the actual published behavior changes are not documented in the supplied notes.
SecurityFeaturesv10.2.3
2026-02-25Release v10.2.3 was published on 2026-02-25, but no release notes were provided by the publisher. As a result, no specific changes, fixes, or migration actions can be confirmed from the release notes.
v10.2.2
2026-02-19Release v10.2.2 has no release notes provided. The diff shown indicates this release is primarily a tooling and dependency/CI update (GitHub Actions workflows, package metadata, and npm lockfile), with no application or library source code changes included in the provided diff.
v10.2.1
2026-02-17v10.2.1 has no publisher release notes. The diff indicates a behavioral change in how minimatch translates glob patterns containing multiple consecutive '*' into regex, along with accompanying test snapshot updates and a new regression test for extremely long star sequences.
v10.2.0
2026-02-12Version v10.2.0 introduces a new `braceExpandMax` option to control how many `{...}` brace-expansion results can be produced. The provided release notes are empty, but the code and tests indicate brace expansion behavior is now capped, which can affect output for very large brace patterns. Most other changes shown in the diff are formatting and test refactoring.
Featuresv10.1.3
2026-02-12v10.1.3 makes a small but meaningful change to how minimatch pulls in brace expansion functionality. The release notes are empty, but the code and dependency graph indicate an underlying dependency swap and version bumps that could affect runtime behavior.
v10.1.2
2026-02-03Release v10.1.2 contains no documented release notes (publisher provided none). The diff shows primarily build and documentation workflow updates plus a dependency bump for brace expansion, along with substantial lockfile churn.
v10.1.1
2025-10-28Release v10.1.1 contains a small set of code changes focused on glob regex generation and TypeScript type exports. No release notes were provided, so the behavioral changes introduced by the implementation are not explicitly documented.
v10.1.0
2025-10-28Release v10.1.0 was published on 2025-10-28, but the publisher did not provide any release notes. As a result, there is no documented information about new features, bug fixes, breaking changes, or security updates in this release.