Back to Explore

micromatch/picomatch

GitHub
1 updates · last 90 days2 watchersOpen source

Last release:

Picomatch is a JavaScript glob matcher that is described as fast and accurate, with no dependencies. It supports standard and extended Bash glob features like braces, extglobs, POSIX brackets, globstars, and regular expressions, and it can be used to create matcher functions for repeated matching of strings.

Project status

  • Actively maintained: The upstream repository shows a recent push on 2026-07-02, and the update stream includes 4.0.5 (2026-07-02), plus prior updates in 2026-03-23.
  • Update cadence: After an earlier cluster in late March 2026 (multiple 2026-03-23 updates), another update landed about 9 days later (4.0.5), suggesting an active maintenance cycle rather than a long-term freeze.

AI summary generated

AI-generated from public sources. May be inaccurate. Report

Recent updates

  • 4.0.5

    Release 4.0.5 fixes two matcher correctness issues: the “risky” repeated extglob rewrite no longer drops branches when rewriting into a ReDoS-safe form, and basename matching now properly honors the windows option. The diff shows corresponding test additions for both behaviors.

    Security
  • 4.0.4

    Release 4.0.4 is described as a security release that fixes CVE-2026-33671 and CVE-2026-33672. However, the diff shows additional functional and compatibility changes beyond those CVEs, including environment detection changes, new/extant glob safety behavior, and Node support policy updates.

    BreakingSecurityFeatures
  • 3.0.2

    Release 3.0.2 is described as a security-only patch that fixes multiple security relevant issues (including CVE-2026-33671 and CVE-2026-33672) and a reported exception involving glob patterns with a constructor. However, the actual code diff shows several behavioral and API changes beyond what is documented in the release notes.

    BreakingSecurityFeatures
  • 2.3.2

    Release 2.3.2 is presented as a security release addressing multiple glob-related issues, including CVE-2026-33671 and CVE-2026-33672. The code diff shows additional hardening in the glob parsing layer, including new logic that changes how certain risky extglobs are compiled by default.

    SecurityFeatures
  • 4.0.3

    Release 4.0.3 release notes only mention a fix for an exception when a glob pattern contains `constructor`. However, the actual diff shows a much larger underlying refactor across the project, including changes to platform/path handling, API behavior, and runtime requirements that are not described in the 4.0.3 notes.

    Security
  • 2.3.1

    Picomatch 2.3.1 includes a targeted bug fix for negation extglobs where a pattern fragment following the closing parenthesis was incorrectly converted into a regular expression source. The release notes also mention only documentation improvements otherwise.

  • 2.2.3

    Release 2.2.3 contains two targeted fixes related to glob parsing, specifically around square bracket pattern separation and how negated extglobs are detected. The code changes are small and localized to the parser/lexer behavior plus updated tests.

  • 2.2.2

    Release 2.2.2 was published on 2020-03-21, but the publisher did not provide any release notes. As a result, no specific new features, breaking changes, bug fixes, security updates, or migration guidance can be confirmed from the provided information.