From 2c878df96fb2bdaee3982f2ddbe3cfc4012c93e9 Mon Sep 17 00:00:00 2001
From: fro-bot <80104189+fro-bot@users.noreply.github.com>
Date: Fri, 27 Mar 2026 05:24:15 +0000
Subject: [PATCH] fix(security): update picomatch override to >=4.0.4

Addresses CVE-2026-33671 (HIGH) and CVE-2026-33672 (MEDIUM)
- ReDoS vulnerability via extglob quantifiers (HIGH)
- Method Injection in POSIX Character Classes (MEDIUM)
- picomatch is a transitive dependency via @bfra.me/eslint-config
- Override forces resolution to patched version >=4.0.4
---
 package.json   |  1 +
 pnpm-lock.yaml | 21 +++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/package.json b/package.json
index 67157c760..1a9cd1c37 100644
--- a/package.json
+++ b/package.json
@@ -46,6 +46,7 @@
       "ajv@8": "8.18.0",
       "flatted": ">=3.4.2",
       "minimatch": ">=10.2.3",
+      "picomatch": ">=4.0.4",
       "undici": ">=7.24.0",
       "yaml": ">=2.8.3"
     }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index d88f26e0a..0c76c64e2 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -8,6 +8,7 @@ overrides:
   ajv@8: 8.18.0
   flatted: '>=3.4.2'
   minimatch: '>=10.2.3'
+  picomatch: '>=4.0.4'
   undici: '>=7.24.0'
   yaml: '>=2.8.3'
 
@@ -800,7 +801,7 @@ packages:
     resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
     engines: {node: '>=12.0.0'}
     peerDependencies:
-      picomatch: ^3 || ^4
+      picomatch: '>=4.0.4'
     peerDependenciesMeta:
       picomatch:
         optional: true
@@ -1179,8 +1180,8 @@ packages:
   picocolors@1.1.1:
     resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==}
 
-  picomatch@4.0.3:
-    resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==}
+  picomatch@4.0.4:
+    resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==}
     engines: {node: '>=12'}
 
   pkg-types@1.3.1:
@@ -1621,7 +1622,7 @@ snapshots:
       eslint-visitor-keys: 4.2.1
       espree: 10.4.0
       estraverse: 5.3.0
-      picomatch: 4.0.3
+      picomatch: 4.0.4
 
   '@tybys/wasm-util@0.10.1':
     dependencies:
@@ -2244,9 +2245,9 @@ snapshots:
     dependencies:
       format: 0.2.2
 
-  fdir@6.5.0(picomatch@4.0.3):
+  fdir@6.5.0(picomatch@4.0.4):
     optionalDependencies:
-      picomatch: 4.0.3
+      picomatch: 4.0.4
 
   file-entry-cache@8.0.0:
     dependencies:
@@ -2767,7 +2768,7 @@ snapshots:
 
   picocolors@1.1.1: {}
 
-  picomatch@4.0.3: {}
+  picomatch@4.0.4: {}
 
   pkg-types@1.3.1:
     dependencies:
@@ -2886,8 +2887,8 @@ snapshots:
 
   tinyglobby@0.2.15:
     dependencies:
-      fdir: 6.5.0(picomatch@4.0.3)
-      picomatch: 4.0.3
+      fdir: 6.5.0(picomatch@4.0.4)
+      picomatch: 4.0.4
 
   to-valid-identifier@1.0.0:
     dependencies:
@@ -2904,7 +2905,7 @@ snapshots:
 
   ts-declaration-location@1.0.7(typescript@5.9.3):
     dependencies:
-      picomatch: 4.0.3
+      picomatch: 4.0.4
       typescript: 5.9.3
 
   tslib@2.8.1: