Skip to content

security: fix picomatch ReDoS vulnerability across all package-lock.json files#83

Merged
John Cunningham (SausCode) merged 2 commits intomasterfrom
johncunningham/spo-338-high-picomatch-has-a-redos-vulnerability-via-extglob
Apr 7, 2026
Merged

security: fix picomatch ReDoS vulnerability across all package-lock.json files#83
John Cunningham (SausCode) merged 2 commits intomasterfrom
johncunningham/spo-338-high-picomatch-has-a-redos-vulnerability-via-extglob

Conversation

@SausCode
Copy link
Copy Markdown
Contributor

@SausCode John Cunningham (SausCode) commented Apr 7, 2026
edited
Loading

Summary

  • Upgrade picomatch 2.3.1 → 2.3.2 in root package-lock.json (ReDoS via extglob quantifiers)
  • Upgrade picomatch 2.3.1 → 2.3.2 in examples/vite-typescript-example/package-lock.json (ReDoS via extglob quantifiers)
  • Upgrade picomatch 4.0.3 → 4.0.4 in examples/vite-typescript-example/package-lock.json (tinyglobby transitive dep, ReDoS via extglob quantifiers)

Resolves Dependabot alerts: #246, #247, #249

Linear Tickets

Small Peer - Security

Closes

  • SPO-338 — picomatch ReDoS via extglob quantifiers (package-lock.json, dependabot #246)
  • SPO-339 — picomatch ReDoS via extglob quantifiers (examples/vite-typescript-example/package-lock.json, dependabot #247)
  • SPO-340 — picomatch ReDoS via extglob quantifiers (examples/vite-typescript-example/package-lock.json, dependabot #249)

Test plan

  • npm audit in root no longer reports picomatch vulnerabilities
  • npm audit in examples/vite-typescript-example no longer reports picomatch vulnerabilities
  • CI passes

🤖 Generated with Claude Code

@SausCode John Cunningham (SausCode) changed the title SPO-338: [high] Picomatch has a ReDoS vulnerability via extglob quantifiers in getditto/react-ditto security: fix picomatch ReDoS vulnerability across all package-lock.json files Apr 7, 2026
@SausCode John Cunningham (SausCode) marked this pull request as ready for review April 7, 2026 00:23
@SausCode @claude
security: upgrade picomatch to fix ReDoS vulnerability
617c038 
- Root: picomatch 2.3.1 → 2.3.2
- examples/vite-typescript-example: picomatch 2.3.1 → 2.3.2
- examples/vite-typescript-example (tinyglobby): picomatch 4.0.3 → 4.0.4

Resolves dependabot alerts: #246, #247, #249
Resolves: SPO-338, SPO-339, SPO-340

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@SausCode John Cunningham (SausCode) force-pushed the johncunningham/spo-338-high-picomatch-has-a-redos-vulnerability-via-extglob branch from 579f40b to 617c038 Compare April 7, 2026 00:27
@SausCode John Cunningham (SausCode) merged commit f87d1bd into master Apr 7, 2026
1 check passed
@SausCode John Cunningham (SausCode) deleted the johncunningham/spo-338-high-picomatch-has-a-redos-vulnerability-via-extglob branch April 7, 2026 01:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alycda Alyssa Evans (alycda) alycda approved these changes

@busec0 Bulzan Sergiu (busec0) Awaiting requested review from busec0

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SausCode @alycda