fix(security): bump minimatch override to >=10.2.3 (GHSA-7r86, GHSA-23c5)

Two high-severity ReDoS vulnerabilities in minimatch >=10.0.0 <10.2.3 via @typescript-eslint transitive dep. Bumps existing pnpm override from >=10.2.1 to >=10.2.3. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 19:48:19 -06:00
parent 5ed0a859da
commit 55abe359f3
2 changed files with 19 additions and 30 deletions
--- a/package.json
+++ b/package.json
@@ -63,7 +63,7 @@
    ],
    "overrides": {
      "@isaacs/brace-expansion": ">=5.0.1",
-      "minimatch": ">=10.2.1",
+      "minimatch": ">=10.2.3",
      "tar": ">=7.5.8",
      "form-data": ">=2.5.4",
      "lodash": ">=4.17.23",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6,7 +6,7 @@ settings:

 overrides:
  '@isaacs/brace-expansion': '>=5.0.1'
-  minimatch: '>=10.2.1'
+  minimatch: '>=10.2.3'
  tar: '>=7.5.8'
  form-data: '>=2.5.4'
  lodash: '>=4.17.23'
@@ -1596,6 +1596,7 @@ packages:

  '@mosaicstack/telemetry-client@0.1.1':
    resolution: {integrity: sha512-1udg6p4cs8rhQgQ2pKCfi7EpRlJieRRhA5CIqthRQ6HQZLgQ0wH+632jEulov3rlHSM1iplIQ+AAe5DWrvSkEA==, tarball: https://git.mosaicstack.dev/api/packages/mosaic/npm/%40mosaicstack%2Ftelemetry-client/-/0.1.1/telemetry-client-0.1.1.tgz}
+    engines: {node: '>=18'}

  '@mrleebo/prisma-ast@0.13.1':
    resolution: {integrity: sha512-XyroGQXcHrZdvmrGJvsA9KNeOOgGMg1Vg9OlheUsBOSKznLMDl+YChxbkboRHvtFYJEMRYmlV3uoo/njCw05iw==}
@@ -5776,9 +5777,9 @@ packages:
  minimalistic-assert@1.0.1:
    resolution: {integrity: sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==}

-  minimatch@10.2.1:
-    resolution: {integrity: sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==}
-    engines: {node: 20 || >=22}
+  minimatch@10.2.4:
+    resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==}
+    engines: {node: 18 || 20 || >=22}

  minimist@1.2.8:
    resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==}
@@ -7965,7 +7966,7 @@ snapshots:
      chalk: 5.6.2
      commander: 12.1.0
      dotenv: 17.2.4
-      drizzle-orm: 0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))
+      drizzle-orm: 0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@6.19.2(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(typescript@5.9.3))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))
      open: 10.2.0
      pg: 8.17.2
      prettier: 3.8.1
@@ -8303,7 +8304,7 @@ snapshots:
    dependencies:
      '@eslint/object-schema': 2.1.7
      debug: 4.4.3
-      minimatch: 10.2.1
+      minimatch: 10.2.4
    transitivePeerDependencies:
      - supports-color

@@ -8324,7 +8325,7 @@ snapshots:
      ignore: 5.3.2
      import-fresh: 3.3.1
      js-yaml: 4.1.1
-      minimatch: 10.2.1
+      minimatch: 10.2.4
      strip-json-comments: 3.1.1
    transitivePeerDependencies:
      - supports-color
@@ -10780,7 +10781,7 @@ snapshots:
      '@typescript-eslint/types': 8.54.0
      '@typescript-eslint/visitor-keys': 8.54.0
      debug: 4.4.3
-      minimatch: 10.2.1
+      minimatch: 10.2.4
      semver: 7.7.3
      tinyglobby: 0.2.15
      ts-api-utils: 2.4.0(typescript@5.9.3)
@@ -11291,7 +11292,7 @@ snapshots:
    optionalDependencies:
      '@prisma/client': 5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))
      better-sqlite3: 12.6.2
-      drizzle-orm: 0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))
+      drizzle-orm: 0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@6.19.2(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(typescript@5.9.3))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))
      next: 16.1.6(@babel/core@7.28.6)(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
      pg: 8.17.2
      prisma: 6.19.2(magicast@0.3.5)(typescript@5.9.3)
@@ -11316,7 +11317,7 @@ snapshots:
    optionalDependencies:
      '@prisma/client': 6.19.2(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(typescript@5.9.3)
      better-sqlite3: 12.6.2
-      drizzle-orm: 0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))
+      drizzle-orm: 0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@6.19.2(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(typescript@5.9.3))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))
      next: 16.1.6(@babel/core@7.28.6)(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
      pg: 8.17.2
      prisma: 6.19.2(magicast@0.3.5)(typescript@5.9.3)
@@ -12135,17 +12136,6 @@ snapshots:

  dotenv@17.2.4: {}

-  drizzle-orm@0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)):
-    optionalDependencies:
-      '@opentelemetry/api': 1.9.0
-      '@prisma/client': 5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))
-      '@types/pg': 8.16.0
-      better-sqlite3: 12.6.2
-      kysely: 0.28.10
-      pg: 8.17.2
-      postgres: 3.4.8
-      prisma: 6.19.2(magicast@0.3.5)(typescript@5.9.3)
-
  drizzle-orm@0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@6.19.2(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(typescript@5.9.3))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)):
    optionalDependencies:
      '@opentelemetry/api': 1.9.0
@@ -12156,7 +12146,6 @@ snapshots:
      pg: 8.17.2
      postgres: 3.4.8
      prisma: 6.19.2(magicast@0.3.5)(typescript@5.9.3)
-    optional: true

  dunder-proto@1.0.1:
    dependencies:
@@ -12362,7 +12351,7 @@ snapshots:
      is-glob: 4.0.3
      json-stable-stringify-without-jsonify: 1.0.1
      lodash.merge: 4.6.2
-      minimatch: 10.2.1
+      minimatch: 10.2.4
      natural-compare: 1.4.0
      optionator: 0.9.4
    optionalDependencies:
@@ -12605,7 +12594,7 @@ snapshots:
      deepmerge: 4.3.1
      fs-extra: 10.1.0
      memfs: 3.5.3
-      minimatch: 10.2.1
+      minimatch: 10.2.4
      node-abort-controller: 3.1.1
      schema-utils: 3.3.0
      semver: 7.7.3
@@ -12731,14 +12720,14 @@ snapshots:
    dependencies:
      foreground-child: 3.3.1
      jackspeak: 3.4.3
-      minimatch: 10.2.1
+      minimatch: 10.2.4
      minipass: 7.1.2
      package-json-from-dist: 1.0.1
      path-scurry: 1.11.1

  glob@13.0.0:
    dependencies:
-      minimatch: 10.2.1
+      minimatch: 10.2.4
      minipass: 7.1.2
      path-scurry: 2.0.1

@@ -13374,7 +13363,7 @@ snapshots:

  minimalistic-assert@1.0.1: {}

-  minimatch@10.2.1:
+  minimatch@10.2.4:
    dependencies:
      brace-expansion: 5.0.2

@@ -14110,7 +14099,7 @@ snapshots:

  readdir-glob@1.1.3:
    dependencies:
-      minimatch: 10.2.1
+      minimatch: 10.2.4

  readdirp@3.6.0:
    dependencies:
@@ -14797,7 +14786,7 @@ snapshots:
    dependencies:
      '@istanbuljs/schema': 0.1.3
      glob: 10.5.0
-      minimatch: 10.2.1
+      minimatch: 10.2.4

  text-decoder@1.2.3:
    dependencies: