Skip to content

security(deps): pin picomatch + minimatch to patched versions (AVO-3258, PR 3 of 3)#1730

Merged
logason merged 1 commit into
mainfrom
claude/exciting-planck-lv2t8j
Jul 6, 2026
Merged

security(deps): pin picomatch + minimatch to patched versions (AVO-3258, PR 3 of 3)#1730
logason merged 1 commit into
mainfrom
claude/exciting-planck-lv2t8j

Conversation

@ada-avo

@ada-avo ada-avo commented Jul 6, 2026

Copy link
Copy Markdown

What & why

Follow-up to AVO-3258 clearing the picomatch + minimatch alerts that were deliberately deferred from PR 1 (#1729) pending a maintainer decision. Solvi approved handling them in a dedicated PR with per-major scoped pins and its own lockfile audit.

All affected consumers are dev/build-time tooling (eslint + plugins, glob, avo CLI, ignore-walk, @typescript-eslint/typescript-estree, micromatch) — none are shipped to docs-site users.

Changes — scoped resolutions, per major

Package From To Consumer Clears
picomatch 2.3.1 2.3.2 micromatch CVE-2026-33671
minimatch 3.1.2 3.1.4 eslint tree + glob CVE-2026-27903/-27904
minimatch 5.1.6 5.1.8 ignore-walk CVE-2026-27903/-27904
minimatch 7.4.6 7.4.8 avo CVE-2026-27903/-27904
minimatch 9.0.5 9.0.9 @typescript-eslint/typescript-estree CVE-2026-27903/-27904

The safe picomatch 4.0.2 / 4.0.3 copies (via tinyglobby / cspell-glob) are left untouched.

minimatch 9.x → 9.0.9 (the deferred red-flag, now resolved)

PR 1 flagged that minimatch@9.0.7 pulls brace-expansion@^5 → balanced-match@^4 → jackspeak — a foundational zero-dep utility suddenly acquiring an unrelated CLI-args parser. Verified on the registry: 9.0.7 and 9.0.8 both carry that chain; 9.0.9 (published 2026-02-26) reverts to brace-expansion@^2.0.2, so the chain is gone. Pinned to 9.0.9 exactly — not 9.0.7/9.0.8.

Yarn 1 mechanism note

minimatch coexists at four majors and picomatch at two, each needed at a different version. Yarn 1 could not express this cleanly (which is why PR 1 deferred it):

  • a bare "minimatch" resolution collapses all majors to one version (breaks the 5/7/9 consumers);
  • plain parent-scoped keys ("ignore-walk/minimatch") do not bind nested consumers — Yarn 1 resolution paths are rooted at the top-level package;
  • range-qualified keys ("minimatch@^5.0.1") are unsupported (parsed as a literal version).

Only the **/<parent>/<pkg> rooted-glob form binds each vulnerable major to its patch without disturbing the safe copies. Verified on disk — exactly four minimatch nodes (3.1.4 / 5.1.8 / 7.4.8 / 9.0.9) and the vulnerable picomatch at 2.3.2.

Verification

  • Every target verified against the registry: publish age > 7 days, not deprecated, no preinstall/install/postinstall scripts (prepare only, which registry installs don't run), dependency-delta clean.
  • Post-install lockfile audit: only minimatch, picomatch, and brace-expansion changed. The new brace-expansion@2.1.1 (pulled by minimatch 7.4.8/9.0.9's ^2.0.2) stays on the clean 2.x → balanced-match@^1.0.0 chain (published 2026-05-25, no install scripts). Every resolved URL on registry.yarnpkg.com/registry.npmjs.org; integrity hashes intact; zero packages added; jackspeak / balanced-match@4 / brace-expansion@5 confirmed absent.
  • yarn build ✅ · yarn lint ✅ · yarn spellcheck ✅ (164 files, 0 issues)

Note: the protocol's live alert re-pull (gh api .../dependabot/alerts) was not available in this session (GitHub REST is not enabled for the agent); this PR relied on the brief's alert list (verified 2026-07-06) plus the per-package registry verification above.

Merge ordering

Independent of #1729 and the Next 15 PR (touches only picomatch/minimatch resolutions). If merged after #1729, expect a trivial resolutions-block union in package.json.


Generated by Claude Code

Summary by CodeRabbit

  • Chores
    • Pinned several indirect dependencies to specific versions to improve consistency across installs and reduce unexpected version drift.
    • Helped make builds and tooling behavior more stable and predictable.

@linear-code

linear-code Bot commented Jul 6, 2026

Copy link
Copy Markdown

AVO-3258

@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 6, 2026 2:16pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 883132c9-5c78-4dca-b5fa-fa91c9360bc0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Added a top-level resolutions field to package.json pinning specific minimatch versions across multiple transitive dependency subpaths, including eslint-related packages.

Changes

Dependency resolution pinning

Layer / File(s) Summary
Add minimatch resolutions
package.json
Adds a resolutions object pinning minimatch to specific versions for various dependency subpaths, including several eslint-related packages.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Estimated code review effort

1 (Trivial) | ~3 minutes

Poem

A hop, a pin, a version fixed,
No more mismatched minimatch mixed,
Through eslint's tangled dependency tree,
My package.json now sits pinned and free.
🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the dependency security fix and matches the main changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/exciting-planck-lv2t8j

Comment @coderabbitai help to get the list of available commands.

…58, PR 3 of 3)

Clears the picomatch/minimatch alerts deferred from PR 1 (#1729). All affected
consumers are dev/build-time tooling (eslint, glob, avo CLI, ignore-walk,
@typescript-eslint/typescript-estree, micromatch), none shipped to docs users.

Scoped yarn resolutions, per-major:
- picomatch  2.3.1 -> 2.3.2  (micromatch)                        CVE-2026-33671
- minimatch  3.1.2 -> 3.1.4  (eslint tree + glob)               CVE-2026-27903/-27904
- minimatch  5.1.6 -> 5.1.8  (ignore-walk)                      CVE-2026-27903/-27904
- minimatch  7.4.6 -> 7.4.8  (avo)                              CVE-2026-27903/-27904
- minimatch  9.0.5 -> 9.0.9  (@typescript-eslint/typescript-estree)  CVE-2026-27903/-27904

minimatch 9.x pinned to 9.0.9 (not 9.0.7/9.0.8): 9.0.7/9.0.8 depend on
brace-expansion@^5 -> balanced-match@^4 -> jackspeak, the suspicious chain
flagged in review. 9.0.9 reverts to brace-expansion@^2.0.2, so that chain is
absent. Verified against the registry (published 2026-02-26, not deprecated,
no install scripts, brace-expansion@^2.0.2 only).

Mechanism note: these pins use the `**/<parent>/<pkg>` rooted-glob form.
Yarn 1's bare-name resolutions collapse all majors to one version, plain
parent-scoped keys do not bind nested consumers, and range-qualified keys are
unsupported; only the `**/` rooted form binds each vulnerable major to its patch
without disturbing the safe picomatch 4.0.x copies.

Lockfile audit: only minimatch, picomatch, and brace-expansion changed. The new
brace-expansion@2.1.1 (pulled by minimatch 7.4.8/9.0.9's ^2.0.2) stays on the
clean 2.x -> balanced-match@^1.0.0 chain (published 2026-05-25, no install
scripts). Every resolved URL is on registry.yarnpkg.com/registry.npmjs.org;
integrity hashes intact; zero new packages; jackspeak / balanced-match@4 /
brace-expansion@5 confirmed absent. Build + lint + spellcheck green.

Note: the mandated live alert re-pull (gh api dependabot/alerts) was not
available in this session (GitHub REST not enabled); relied on the brief's
alert list (verified 2026-07-06) plus per-package registry verification.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018xytCgBQ6DmXUEMKWbKKBH
@ada-avo ada-avo force-pushed the claude/exciting-planck-lv2t8j branch from c846a1d to c5f40c5 Compare July 6, 2026 14:13
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@logason logason merged commit fa2773b into main Jul 6, 2026
4 checks passed
@logason logason deleted the claude/exciting-planck-lv2t8j branch July 6, 2026 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants