Bump picomatch from 2.3.1 to 2.3.2

[barretts]

3PP Grackle (automated dependency triage -- Frontend DX) -- babysit (AT run 8a9f560b)

Summary

Fixes 2 HIGH severity 3PP vulnerabilities in picomatch (GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p).

picomatch prior to 2.3.2 is vulnerable to two high-severity advisories that were first patched in 2.3.2. The package appears in this repo only via build/test toolchain parents.

Production risk: Build-time only
Build-time only: picomatch is pulled in transitively by @babel/cli and np, both of which are devDependencies. It is not loaded by the published react-malibu library at runtime. See the Risk Classification section below for the canonical copy for each tier.

Strategy: override

Changes

package.json

Added 2 version-range-specific resolutions entries forcing picomatch to the patched version under the two parent chains that pull it in:

"@babel/cli/**/picomatch": "^2.3.2",
"np/**/picomatch": "^2.3.2"

Why scoped (parent-selector) resolutions instead of a global "picomatch": "^2.3.2"? picomatch appears in the tree twice -- older 2.x under the babel/np toolchain and 4.x elsewhere. A global override would attempt to collapse both versions and risk breaking packages that declare a peer range like picomatch@^4. The <parent>/**/picomatch selectors isolate the fix to the two vulnerable chains (@babel/cli and np) without touching the 4.x resolution. Upgrading the direct parents does not re-resolve their locked transitives, so a resolutions override is the minimal-risk way to force the lockfile to pick up the patched 2.3.2 line.

yarn.lock

Lockfile re-resolved so picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.3.1, picomatch@^2.3.2 now points at 2.3.2 (previously 2.3.1). No other packages changed.

Risk Classification

Classification	When to use	PR copy
Runtime	Vulnerable package reaches the production code path (any path from a dependencies entry)	"This vulnerability is reachable in production. Priority: HIGH."
Build-time	Vulnerable package only appears under devDependencies and its parents are build tools (webpack, babel, ember-cli)	"This vulnerability exists only in build-tool dependencies. Production risk: NONE. Remediation prevents scanner noise and supply-chain exposure during CI."
Test-only	Vulnerable package only appears under test-framework parents (jest, mocha, vitest, karma)	"This vulnerability exists only in test framework dependencies. Production risk: NONE."

This PR: Build-time. picomatch parents are @babel/cli (babel build tool) and np (release tool), both devDependencies.

Vulnerabilities Fixed

CVE/GHSA	Package	Severity	Fixed Version
GHSA-c2c7-rcm5-vvqj	picomatch	high	^2.3.2
GHSA-3v7f-55p6-f55p	picomatch	high	^2.3.2

How to Test

# Install with the pinned node from engines (20.x or 22.12+)
yarn install

# Lint, build, test -- all must pass
yarn run lint
yarn run build
yarn run test

# Confirm picomatch is at the patched version in the toolchain paths
yarn why picomatch

Exercise the affected surface by running the full test suite (the babel/register pipeline and vite build both load picomatch transitively via micromatch/anymatch). No application code imports picomatch directly, so the smoke path is the build/test pipeline itself.

Validation

Validation was run on the PR head branch (babysit/5cc97b07/picomatch) with node 20.19.6 (satisfies engines.node=^20.19.0 || >=22.12.0):

• Install (post-fix): PASS (yarn install)
• Lint (post-fix): PASS (exit 0)
• Build (post-fix): PASS (exit 0)
• Tests (post-fix): PASS (exit 0, 10 passing)

Full log: .logs/babysit-rebody-validate-1777138112.log.

Notes

• Dependency chain: react-malibu -> @babel/cli -> ... -> picomatch@2.3.1 and react-malibu -> np -> ... -> picomatch@2.3.1. Both now resolve to 2.3.2 via the scoped resolutions entries.
• No source changes; this is a lockfile + resolutions-only fix. The patched 2.3.2 is API-compatible with 2.3.1 (patch release).
• The 4.x line of picomatch is unaffected by these advisories and is left untouched.

---

_{skill-sig: 26cfcbaf · grackle-sig: 8a9f560b · 3pp-skill canonical pipeline · 3pp-grackle babysit}

[barretts]

3PP Grackle (automated dependency triage -- Frontend DX)

Grackle review -- no-CI patch bump

Verification

git diff of branch vs merge-base (ed6d6e1) confirms only package.json and yarn.lock changed
yarn.lock diff confirms only the picomatch entry moved from 2.3.1 to 2.3.2, no unrelated transitive changes
Fetched upstream release notes via gh release view 2.3.2 --repo micromatch/picomatch: security-only release fixing CVE-2026-33671 (ReDoS) and CVE-2026-33672 (method injection)
Confirmed resolved URL points to registry.yarnpkg.com with updated integrity hash

Findings

LOW #1 -- Resolutions are parent-scoped rather than global

VERIFIED: The resolutions target @babel/cli//picomatch and np//picomatch (package.json:90-91) rather than a blanket "**/picomatch" or top-level "picomatch" entry. This is conservative and correct -- it scopes the override to known consumers. However, any OTHER transitive consumer of picomatch@^2.x not rooted under @babel/cli or np would still get 2.3.1 from the lockfile. REFUTATION: check whether other paths resolve picomatch -- the lockfile shows a single merged entry at yarn.lock:5064 covering all ^2.x ranges, so in practice all consumers resolve to 2.3.2. No actual gap exists.

Verified location: package.json:90-91

LOW #2 -- Upstream release is security-only with no breaking changes

VERIFIED: picomatch 2.3.2 release notes list exactly two CVE fixes and one constructor-exception fix. No deprecations, no behavioral changes to matching logic, no new APIs. Full changelog link confirms diff is 2.3.1...2.3.2 only.

Line unverified: the cited snippet does not map to a unique changed line in this PR.

What's solid

• Lockfile diff is minimal and surgical -- only the picomatch entry changed, integrity hash and resolved URL are consistent with registry.yarnpkg.com
• Resolutions placed in the correct section (resolutions, not dependencies) with appropriate ^2.3.2 range that allows future patches without re-pinning
• Commit message accurately references both GHSAs and documents validation results (lint, build, test all exit 0)

Priority stack for the author

No fixes needed. The change is minimal, correctly scoped, and the upstream release is security-only with no behavioral changes.

Recommendation: GO

_{skill-sig: 26cfcbaf · 3pp-skill-sig: ad61853a}