CVE-2026-26996 high severity vulnerability in minimatch@3 used in @actions/glob & @actions/cache

## Situation

`npm audit` reports a high severity vulnerability CVE-2026-26996 (https://github.com/advisories/GHSA-3ppc-4f35-3m26) in [minimatch@3.1.2](https://www.npmjs.com/package/minimatch/v/3.1.2) using [@actions/glob@0.6.1](https://github.com/actions/toolkit/blob/main/packages/glob/RELEASES.md)

[minimatch@3.1.2](https://www.npmjs.com/package/minimatch/v/3.1.2) is a legacy version, released on Feb 15, 2022

The latest version is [minimatch@10.2.1](https://www.npmjs.com/package/minimatch)

## Steps to reproduce

```shell
cd $(mktemp -d)
npm install @actions/cache @actions/glob
npm audit
```

## Logs

```text
$ npm audit
# npm audit report

minimatch  <10.2.1
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
No fix available
node_modules/minimatch
  @actions/glob  *
  Depends on vulnerable versions of minimatch
  node_modules/@actions/glob
    @actions/cache  *
    Depends on vulnerable versions of @actions/glob
    node_modules/@actions/cache

3 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.
```


## Suggestion

Update to [minimatch@10.2.1](https://www.npmjs.com/package/minimatch) or above

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2026-26996 high severity vulnerability in minimatch@3 used in @actions/glob & @actions/cache #2305

Situation

Steps to reproduce

Logs

Suggestion

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2026-26996 high severity vulnerability in minimatch@3 used in @actions/glob & @actions/cache #2305

Description

Situation

Steps to reproduce

Logs

Suggestion

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions