Skip to content

Add wildcard pattern support for core modules #3200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add wildcard pattern support for core modules #3200

wants to merge 10 commits into from
+90 −2

Conversation

andymai
Copy link

@andymai andymai commented Jul 18, 2025
edited
Loading

Summary

Addresses: #1281

  • Add support for wildcard patterns in import/core-modules setting
  • Allow * to match multiple modules like @my-monorepo/* or @my-*/*
  • Update documentation with examples of wildcard usage

Changes

  • Modified src/core/importType.js to support wildcard pattern matching
  • Added comprehensive test cases for wildcard patterns
  • Updated README.md with wildcard pattern examples

Test plan

  • All existing tests pass
  • Added tests for basic wildcard patterns (@my-monorepo/*)
  • Added tests for multiple wildcard patterns (@my-*/*)
  • Added tests for mixed exact matches and wildcards
  • Added tests for resources inside wildcard core modules
  • Updated no-extraneous-dependencies rule tests

@andymai @claude
[Feature] Add wildcard pattern support for core modules
0b83981 
Add support for wildcard patterns in import/core-modules setting, allowing
* to match multiple modules like @my-monorepo/* or @My-*/*.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@andymai andymai marked this pull request as draft July 18, 2025 19:45
andymai added 4 commits July 18, 2025 12:46
@andymai
Fix linting errors
0832edd
@andymai
Fix dangerous bare wildcard security issue
4f8e4d2 
Prevent '*' pattern from matching all modules, which would disable
dependency analysis and create security vulnerabilities.

- Add safety check for bare wildcard patterns
- Add comprehensive test coverage for security edge cases
- Ensure valid wildcard patterns still work correctly
@andymai
Implement robust dangerous pattern detection
4c93ab4 
Enhance security validation to catch a broader range of dangerous
wildcard patterns that could disable dependency analysis:

- Block double wildcards (**)
- Block overly broad patterns (*/*)
- Block regex-style wildcards (.*)
- Block patterns that are too short and broad (a*, *a)
- Block multiple wildcards except for valid @namespace/* patterns
- Add comprehensive test coverage for all dangerous patterns
- Maintain support for legitimate use cases

This prevents accidental or malicious disabling of ESLint's
dependency analysis while preserving intended functionality.
@andymai
Fix wildcard pattern validation for multiple wildcards
425f040 
Allow legitimate multi-wildcard patterns like @My-*/* while still
blocking dangerous patterns:

- Allow @namespace/* patterns (including @My-*/* style patterns)
- Block dangerous patterns like *foo*, foo*bar*, */*/*
- Fix regex escaping issue
- Update comprehensive test coverage
- All 2996 tests now pass
@codecov Codecov
Copy link

codecov bot commented Jul 18, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.49%. Comparing base (01c9eb0) to head (4d8bde5).

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #3200       +/-   ##
===========================================
+ Coverage   82.25%   95.49%   +13.24%     
===========================================
  Files          94       83       -11     
  Lines        4283     3688      -595     
  Branches     1478     1331      -147     
===========================================
- Hits         3523     3522        -1     
+ Misses        760      166      -594

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@andymai andymai marked this pull request as ready for review July 18, 2025 21:24
@andymai andymai mentioned this pull request Jul 18, 2025
Open
ljharb
ljharb requested changes Jul 18, 2025
View reviewed changes
andymai and others added 3 commits July 18, 2025 15:49
@andymai @claude
Replace dynamic regex with minimatch for CVE security
d9115f8 
- Replace dangerous [\s\S]*? regex patterns with minimatch glob matching
- Eliminate all dynamic regex construction in wildcard pattern matching
- Use safe string operations instead of regex for wildcard counting
- Maintain same functionality while preventing ReDoS vulnerabilities

Addresses PR feedback about CVE security risks from dynamic regex patterns.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@andymai @claude
Add security tests to prevent dynamic regex CVE vulnerabilities
ee448c1 
- Add tests to verify no dynamic regex patterns like [\s\S]*? are used
- Test that dangerous patterns (*, .*, **, */*) are blocked by security validation
- Verify safe minimatch glob matching is used instead of regex construction
- Ensure ReDoS (Regular Expression Denial of Service) prevention
- Tests follow existing codebase patterns and integrate with importType tests

Addresses PR feedback about CVE security risks from dynamic regex patterns.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@andymai @claude
Fix ESLint formatting issues in security tests
54bcadc 
- Fix indentation to match codebase style
- Remove trailing spaces
- Add parentheses around arrow function parameters
- Ensure consistent spacing

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
ljharb
ljharb reviewed Jul 21, 2025
View reviewed changes
src/core/importType.js Outdated
Comment on lines 26 to 27

function isDangerousPattern(pattern) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need this function at all now that it's just using minimatch?

@andymai andymai requested a review from ljharb July 22, 2025 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljharb ljharb Awaiting requested review from ljharb

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andymai @ljharb