Skip to content

build(deps): bump picomatch from 2.3.1 to 2.3.2#1231

Open
dependabot[bot] wants to merge 2 commits intomasterfrom
dependabot/npm_and_yarn/picomatch-2.3.2
Open

build(deps): bump picomatch from 2.3.1 to 2.3.2#1231
dependabot[bot] wants to merge 2 commits intomasterfrom
dependabot/npm_and_yarn/picomatch-2.3.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 25, 2026

Bumps picomatch from 2.3.1 to 2.3.2.

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump picomatch from 2.3.1 to 2.3.2
784c2b6 
Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 25, 2026
@mixonic
fix: add yarn resolution for execa to fix CI tests
3f87ba3 
The CI checks failed after picomatch was updated from 2.3.1 to 2.3.2.

Root cause: The picomatch update triggered a yarn.lock regeneration that
brought in execa v7.2.0 as a nested dependency in testem's node_modules.
Execa v7+ is an ES module and cannot be required by testem (which uses
CommonJS require statements). This caused an ERR_REQUIRE_ESM error when
running tests.

Fix: Added a yarn resolution to pin execa to ^5.1.1, which is the last
CommonJS-compatible version. This ensures testem and all its nested
dependencies use a require()-compatible version of execa. Regenerated
yarn.lock to apply the resolution.

Risk: Low risk. The resolution only affects execa and forces it to use a
well-tested CommonJS version that is compatible with testem and the rest
of the project dependencies.

Files changed:
- package.json (added execa resolution)
- yarn.lock (regenerated with new resolution)

Automated fix by veni-vidi-fixi
@mixonic
Copy link
Copy Markdown
Member

mixonic commented Mar 27, 2026

Upgrade may be blocked on a prerequisite dependency

The automated fix system attempted to resolve CI failures and the output suggests this upgrade may be blocked because permission may need to be upgraded first.

Suggested actions

  • Review the CI failure logs to confirm whether permission is the blocker
  • Check if there is already a Dependabot PR open for permission
  • If not, consider manually creating an upgrade PR for permission first
  • Once permission is upgraded, this PR can be rebased and the upgrade should succeed

Automated comment by veni-vidi-fixi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mixonic