Summary

• Resolve high-severity minimatch ReDoS vulnerability (GHSA-3ppc-4f35-3m26) in production dependencies by upgrading minimatch from 5.1.6/9.0.5 to 10.2.1 in package-lock.json
• Update brace-expansion from 2.0.2 to 5.0.2 and add balanced-match 4.0.3 (required by the new minimatch/brace-expansion versions)
• Applies to two production dependency paths:
  • [email protected] -> minimatch (used by the Python plugin via globSync())
  • archiver -> readdir-glob -> minimatch (used by the esbuild plugin via archive.directory())

Context

minimatch < 10.2.1 is vulnerable to ReDoS via repeated wildcards with non-matching literals. The fix version (10.2.1) declares engines: { node: "20 || >=22" }, but this is a policy decision -- the code is technically compatible with Node.js 18. The upgrade is applied surgically in package-lock.json to avoid bumping parent packages that would require breaking major version changes.

Remaining [email protected] instances are dev-only (jest via test-exclude, tape via dotignore) and do not affect production builds.

Test plan

• npm audit --omit=dev reports no minimatch vulnerabilities
• npm run lint passes
• npm run prettier passes
• npm run test passes (1062 unit tests)
• Direct minimatch API smoke test: 219/219 assertions pass across all Framework patterns (wildcard, globstar, character classes, brace expansion, negation, dot files) comparing v9.0.5 vs v10.2.1 behavior
• Esbuild packaging with brace expansion patterns (*.{json,txt}): production vs source output identical (207 files, zero diff)
• Standard packaging with glob patterns: production vs source output identical
• Python function packaging with slim mode (**/*.py[c|o], **/__pycache__*, **/*.dist-info*): production vs source output identical (90 files, zero diff)