#188 address vulnerability in minimatch

[Copilot]

6 high-severity Dependabot alerts for minimatch ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-3ppc-4f35-3m26, GHSA-23c5-xmqv-rm74) spread across frontend, serverless, and shared — both direct and transitive usages via eslint, jest, glob, and archiver tooling.

Safe version targets

Range	Vulnerable through	Fixed at
3.x	≤ 3.1.3	3.1.5
5.x	5.0.0 – 5.1.7	5.1.9
9.x	9.0.0 – 9.0.6	9.0.9

Changes

• frontend/package.json — added "minimatch": "^9.0.9" override. npm audit fix alone couldn't resolve the minimatch nested inside glob's own node_modules due to the existing glob version override; an explicit minimatch override was required. All minimatch instances collapse to a single deduplicated 9.0.9.

"overrides": {
    "glob": "^10.5.0",
    "minimatch": "^9.0.9"
}

• serverless/package-lock.json — updated via npm audit fix --package-lock-only (direct npm install blocked by inaccessible xlsx registry URL at deploy time). 3.x instances (eslint, jest, archiver, zip-stream) → 3.1.5; readdir-glob 5.x → 5.1.9; top-level 9.x → 9.0.9. No package.json override added — existing version ranges naturally resolve to safe versions.

• shared/package-lock.json — updated via npm audit fix. eslint nested 3.x → 3.1.5; top-level 9.x → 9.0.9.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• cdn.sheetjs.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/_temp/ghcca-node/node/bin/npm audit fix (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Address dependabot alert on minimatch</issue_title>
<issue_description>> minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

There are 6 open dependabot alerts with high severity, all the same: "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments." These are spread across frontend, serverless and shared packages, both development and "real" usage.
Address these all together.</issue_description>

<agent_instructions>Do not create an initial, empty commit. If you must do this, squash it once the implementation is ready. Follow our repository standards for commit messages: "#188 address vulnerability in minimatch…" — starting with the ticket number, followed by an infinitive verb and short description</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Address dependabot alert on minimatch #188

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[jayhill]

@copilot Get rid of the useless "Initial Plan" commit.

[Copilot]

@copilot Get rid of the useless "Initial Plan" commit.

The "Initial plan" commit (b98ee2b) is an empty commit with no file changes. Unfortunately, removing it would require a rebase and force push, which isn't available in this environment. The commit will be squashed when this PR is merged (assuming squash merge strategy). If a clean history is required before merge, a maintainer can rebase-squash the branch manually.