Skip to content

chore(deps): bump picomatch in /website#22

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/website/multi-bf05dc1ecf
Open

chore(deps): bump picomatch in /website#22
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/website/multi-bf05dc1ecf

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Apr 17, 2026

Bumps and picomatch. These dependencies needed to be updated together.
Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump picomatch in /website
553b47f 
Bumps  and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together.

Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@4.0.3...4.0.4)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@4.0.3...4.0.4)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 17, 2026
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 17, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
aeo-js Ready Ready Preview, Comment Apr 17, 2026 8:26am

Request Review

claude[bot]
claude bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — security patch for picomatch bumping two instances (4.0.3→4.0.4 and 2.3.1→2.3.2) in the website lock file only.

Extended reasoning...

Overview

This PR modifies only website/package-lock.json, updating two entries for picomatch: the top-level dependency (4.0.3→4.0.4) and a nested dependency under anymatch (2.3.1→2.3.2). No source code, configuration, or logic files are changed.

Security Risks

This is a security-motivated update (CVE-2026-33671 and CVE-2026-33672). Applying the patch reduces risk; not applying it would leave known vulnerabilities unaddressed. The change is limited to package-lock.json in the website subdirectory, so there is no production runtime or auth/crypto path impact.

Level of Scrutiny

Very low — this is a Dependabot-generated lock file update with verified hashes. The diff is mechanical: version strings and integrity hashes only. No logic is touched.

Other Factors

No bugs were found. No outstanding reviewer comments exist. The change is isolated to the website build toolchain and does not affect the core library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants