From 72df69048f695997999c3e99a08ae135a49a6b1e Mon Sep 17 00:00:00 2001
From: John Cunningham <john.cunningham@ditto.com>
Date: Mon, 6 Apr 2026 17:18:57 -0700
Subject: [PATCH 1/2] SPO-338: [high] Picomatch has a ReDoS vulnerability via
 extglob quantifiers in getditto/react-ditto


From 617c03849518a0dec41c83ad9968709f8b2749a3 Mon Sep 17 00:00:00 2001
From: John Cunningham <john.cunningham@ditto.com>
Date: Mon, 6 Apr 2026 17:27:35 -0700
Subject: [PATCH 2/2] security: upgrade picomatch to fix ReDoS vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Root: picomatch 2.3.1 → 2.3.2
- examples/vite-typescript-example: picomatch 2.3.1 → 2.3.2
- examples/vite-typescript-example (tinyglobby): picomatch 4.0.3 → 4.0.4

Resolves dependabot alerts: #246, #247, #249
Resolves: SPO-338, SPO-339, SPO-340

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 examples/vite-typescript-example/package-lock.json | 12 ++++++------
 package-lock.json                                  |  4 +++-
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/examples/vite-typescript-example/package-lock.json b/examples/vite-typescript-example/package-lock.json
index ac457b7..1ded845 100644
--- a/examples/vite-typescript-example/package-lock.json
+++ b/examples/vite-typescript-example/package-lock.json
@@ -8471,9 +8471,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -9901,9 +9901,9 @@
       }
     },
     "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
diff --git a/package-lock.json b/package-lock.json
index 782c847..0125973 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -7724,7 +7724,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "2.3.1",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "dev": true,
       "license": "MIT",
       "engines": {