Picomatch is a JavaScript glob matcher that is described as fast and accurate, with no dependencies. It supports standard and extended Bash glob features like braces, extglobs, POSIX brackets, globstars, and regular expressions, and it can be used to create matcher functions for repeated matching of strings.
Project status
- Actively maintained: The repo shows a recent upstream push (2026-04-20), and multiple version lines received fixes in close succession (2026-03-23), indicating ongoing maintenance rather than a frozen/inactive state.
- Update cadence: Several security-focused updates landed on the same day across different versions (2.3.2, 3.0.2, 4.0.4), suggesting a burst of urgent work, with later activity at least through 2026-04-20.
AI summary generated Today
Recent updates
4.0.4
2 months agoRelease 4.0.4 is described as a security release that fixes CVE-2026-33671 and CVE-2026-33672. However, the diff shows additional functional and compatibility changes beyond those CVEs, including environment detection changes, new/extant glob safety behavior, and Node support policy updates.
BreakingSecurityFeatures3.0.2
2 months agoRelease 3.0.2 is described as a security-only patch that fixes multiple security relevant issues (including CVE-2026-33671 and CVE-2026-33672) and a reported exception involving glob patterns with a constructor. However, the actual code diff shows several behavioral and API changes beyond what is documented in the release notes.
BreakingSecurityFeatures2.3.2
2 months agoRelease 2.3.2 is presented as a security release addressing multiple glob-related issues, including CVE-2026-33671 and CVE-2026-33672. The code diff shows additional hardening in the glob parsing layer, including new logic that changes how certain risky extglobs are compiled by default.
SecurityFeatures