Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Snyk is reporting the following high security vulnerabilities with dependencies installed with the latest npm:
Issues with no direct upgrade or patch:
✗ Infinite loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759] in brace-expansion@5.0.4
introduced by npm@11.12.1 > minimatch@10.2.4 > brace-expansion@5.0.4 and 222 other path(s)
This issue was fixed in versions: 1.1.13, 2.0.3, 3.0.2, 5.0.5
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-PICOMATCH-15765511] in picomatch@4.0.3
introduced by npm@11.12.1 > node-gyp@12.2.0 > tinyglobby@0.2.15 > picomatch@4.0.3 and 24 other path(s)
This issue was fixed in versions: 2.3.2, 3.0.2, 4.0.4
Expected Behavior
Npm should upgrade dependencies to avoid security issues.
Steps To Reproduce
Reproducing this error requires access to Snyk, but the urls reporting the security issues in the above report are public.
Environment
This is from a docker container based on node:25-trixie-slim and upgraded to the latest npm with npm install -g npm@latest.
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Snyk is reporting the following high security vulnerabilities with dependencies installed with the latest npm:
Expected Behavior
Npm should upgrade dependencies to avoid security issues.
Steps To Reproduce
Reproducing this error requires access to Snyk, but the urls reporting the security issues in the above report are public.
Environment
This is from a docker container based on
node:25-trixie-slimand upgraded to the latest npm withnpm install -g npm@latest.