security(deps): pin picomatch + minimatch to patched versions (AVO-3258, PR 3 of 3)#1730
Conversation
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughAdded a top-level ChangesDependency resolution pinning
Estimated code review effort: 1 (Trivial) | ~3 minutes Estimated code review effort1 (Trivial) | ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
…58, PR 3 of 3) Clears the picomatch/minimatch alerts deferred from PR 1 (#1729). All affected consumers are dev/build-time tooling (eslint, glob, avo CLI, ignore-walk, @typescript-eslint/typescript-estree, micromatch), none shipped to docs users. Scoped yarn resolutions, per-major: - picomatch 2.3.1 -> 2.3.2 (micromatch) CVE-2026-33671 - minimatch 3.1.2 -> 3.1.4 (eslint tree + glob) CVE-2026-27903/-27904 - minimatch 5.1.6 -> 5.1.8 (ignore-walk) CVE-2026-27903/-27904 - minimatch 7.4.6 -> 7.4.8 (avo) CVE-2026-27903/-27904 - minimatch 9.0.5 -> 9.0.9 (@typescript-eslint/typescript-estree) CVE-2026-27903/-27904 minimatch 9.x pinned to 9.0.9 (not 9.0.7/9.0.8): 9.0.7/9.0.8 depend on brace-expansion@^5 -> balanced-match@^4 -> jackspeak, the suspicious chain flagged in review. 9.0.9 reverts to brace-expansion@^2.0.2, so that chain is absent. Verified against the registry (published 2026-02-26, not deprecated, no install scripts, brace-expansion@^2.0.2 only). Mechanism note: these pins use the `**/<parent>/<pkg>` rooted-glob form. Yarn 1's bare-name resolutions collapse all majors to one version, plain parent-scoped keys do not bind nested consumers, and range-qualified keys are unsupported; only the `**/` rooted form binds each vulnerable major to its patch without disturbing the safe picomatch 4.0.x copies. Lockfile audit: only minimatch, picomatch, and brace-expansion changed. The new brace-expansion@2.1.1 (pulled by minimatch 7.4.8/9.0.9's ^2.0.2) stays on the clean 2.x -> balanced-match@^1.0.0 chain (published 2026-05-25, no install scripts). Every resolved URL is on registry.yarnpkg.com/registry.npmjs.org; integrity hashes intact; zero new packages; jackspeak / balanced-match@4 / brace-expansion@5 confirmed absent. Build + lint + spellcheck green. Note: the mandated live alert re-pull (gh api dependabot/alerts) was not available in this session (GitHub REST not enabled); relied on the brief's alert list (verified 2026-07-06) plus per-package registry verification. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018xytCgBQ6DmXUEMKWbKKBH
c846a1d to
c5f40c5
Compare
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
What & why
Follow-up to AVO-3258 clearing the
picomatch+minimatchalerts that were deliberately deferred from PR 1 (#1729) pending a maintainer decision. Solvi approved handling them in a dedicated PR with per-major scoped pins and its own lockfile audit.All affected consumers are dev/build-time tooling (
eslint+ plugins,glob,avoCLI,ignore-walk,@typescript-eslint/typescript-estree,micromatch) — none are shipped to docs-site users.Changes — scoped
resolutions, per majorpicomatchmicromatchminimatchglobminimatchignore-walkminimatchavominimatch@typescript-eslint/typescript-estreeThe safe
picomatch4.0.2 / 4.0.3 copies (viatinyglobby/cspell-glob) are left untouched.minimatch9.x → 9.0.9 (the deferred red-flag, now resolved)PR 1 flagged that
minimatch@9.0.7pullsbrace-expansion@^5 → balanced-match@^4 → jackspeak— a foundational zero-dep utility suddenly acquiring an unrelated CLI-args parser. Verified on the registry: 9.0.7 and 9.0.8 both carry that chain; 9.0.9 (published 2026-02-26) reverts tobrace-expansion@^2.0.2, so the chain is gone. Pinned to 9.0.9 exactly — not 9.0.7/9.0.8.Yarn 1 mechanism note
minimatchcoexists at four majors andpicomatchat two, each needed at a different version. Yarn 1 could not express this cleanly (which is why PR 1 deferred it):"minimatch"resolution collapses all majors to one version (breaks the 5/7/9 consumers);"ignore-walk/minimatch") do not bind nested consumers — Yarn 1 resolution paths are rooted at the top-level package;"minimatch@^5.0.1") are unsupported (parsed as a literal version).Only the
**/<parent>/<pkg>rooted-glob form binds each vulnerable major to its patch without disturbing the safe copies. Verified on disk — exactly fourminimatchnodes (3.1.4 / 5.1.8 / 7.4.8 / 9.0.9) and the vulnerablepicomatchat 2.3.2.Verification
preinstall/install/postinstallscripts (prepareonly, which registry installs don't run), dependency-delta clean.minimatch,picomatch, andbrace-expansionchanged. The newbrace-expansion@2.1.1(pulled byminimatch7.4.8/9.0.9's^2.0.2) stays on the clean2.x → balanced-match@^1.0.0chain (published 2026-05-25, no install scripts). EveryresolvedURL onregistry.yarnpkg.com/registry.npmjs.org; integrity hashes intact; zero packages added;jackspeak/balanced-match@4/brace-expansion@5confirmed absent.yarn build✅ ·yarn lint✅ ·yarn spellcheck✅ (164 files, 0 issues)Merge ordering
Independent of #1729 and the Next 15 PR (touches only
picomatch/minimatchresolutions). If merged after #1729, expect a trivialresolutions-block union inpackage.json.Generated by Claude Code
Summary by CodeRabbit