Fix CG alert: update minimatch 5.x to ^5.1.8 across 17 tasks (CVE-2026-27903)

[sanjuyadav24]

Context

This PR fixes a Component Governance security alert identified in AB#2362016.

Vulnerability Details:

• CVE ID: CVE-2026-27903
• Severity: High
• Type: ReDoS (Regular Expression Denial of Service) in minimatch matchOne() with multiple GLOBSTAR segments
• Affected Package: minimatch 5.1.6
• Fix Version: minimatch ^5.1.8

---

Task Name

17 tasks affected (transitive via owned common packages -> mocha -> minimatch):
CargoAuthenticateV0, DotNetCoreCLIV2, DownloadPackageV0 (deprecated), DownloadPackageV1, GradleV2 (deprecated), GradleV3, GradleV4, MavenV2 (deprecated), MavenV3 (deprecated), MavenV4, NpmAuthenticateV0, NpmV1, NuGetCommandV2, NuGetToolInstallerV0, NuGetToolInstallerV1, PublishSymbolsV2, UseDotNetV2

---

Description

Added version-scoped override "minimatch@>=5.0.0 <6.0.0": "^5.1.8" in all 17 CG-flagged tasks to fix CVE-2026-27903.

minimatch 5.1.6 was pulled in transitively via owned common packages (azure-pipelines-tasks-packaging-common, azure-pipelines-tasks-codeanalysis-common, azure-pipelines-tasks-codecoverage-tools) through their mocha dependency (mocha -> minimatch and mocha -> glob -> minimatch).

The version-scoped override targets only minimatch 5.x instances without affecting the 3.x instances used by azure-pipelines-task-lib and other packages.

---

Risk Assessment (Low)

This is a patch-level dependency update within minimatch 5.x (5.1.6 -> 5.1.8).

Upgrade risk analysis (via upgrade-risk-analyzer) from 5.1.6 to 5.1.8: all 26 flagged risks (ESM/CJS changes, Node version drops, API changes) apply only to major version jumps (5.x -> 9.x/10.x) and are not relevant to this patch-level update. No breaking API changes exist between 5.1.6 and 5.1.8.

The fix addresses a ReDoS vulnerability in matchOne() with no functional changes expected.

---

Change Behind Feature Flag (No)

Dependency updates don't use feature flags.

---

Tech Design / Approach

• Added version-scoped override "minimatch@>=5.0.0 <6.0.0": "^5.1.8" in package.json for each task
• This targets only minimatch 5.x instances (from mocha) without affecting 3.x instances (from task-lib)
• Regenerated package-lock.json via npm install
• Task versions bumped per sprint-based rules (sprint 274 week 1 -> Minor 274)

---

Documentation Changes Required (No)

No documentation changes needed for internal dependency updates.

---

Unit Tests Added or Updated (No)

No new tests needed -- existing tests validate task functionality.

---

Additional Testing Performed

• Built 15 of 17 tasks successfully with node make.js build --task <TaskName> --BypassNpmAudit
• DotNetCoreCLIV2 and MavenV3 have pre-existing TS build errors (same failure on master, unrelated to this change)
• Verified minimatch 5.x resolved to 5.1.9 (>=5.1.8) via npm ls minimatch in representative tasks
• Confirmed 3.x minimatch instances remain unaffected

---

Logging Added/Updated (No)

No logging changes needed.

---

Telemetry Added/Updated (No)

No telemetry changes needed.

---

Rollback Scenario and Process (Yes)

Revert this PR if any issues are found.

---

Dependency Impact Assessed and Regression Tested (Yes)

• CG identified all affected tasks via component locations API
• Upgrade risk analysis performed via upgrade-risk-analyzer; all 26 flagged risks apply to major version jumps only and are not relevant to this 5.1.6 -> 5.1.8 patch update
• 15/17 tasks build successfully; 2 failures are pre-existing and unrelated
• Verified minimatch 5.x upgraded to 5.1.9 while 3.x instances remain untouched

---

Checklist

• Related issue linked (AB#2362016)
• Task version was bumped
• Verified the task behaves as expected

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[sanjuyadav24]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved the merge conflicts in commit 36b5d2d. There were conflicts in Tasks/MavenV4/task.json and Tasks/MavenV4/task.loc.json — master had bumped the patch to 4.273.1 while our branch had the sprint bump to 4.274.0. Kept 4.274.0 as it's the correct sprint-targeted version.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• whatsprintis.it
  • Triggering command: /usr/bin/curl curl -s REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 3 pipeline(s).