chore(deps): bump picomatch from 4.0.3 to 4.0.4 in /web#1058
chore(deps): bump picomatch from 4.0.3 to 4.0.4 in /web#1058dependabot[bot] wants to merge 1 commit intodevfrom
Conversation
dependabot
bot
added
dependencies
dependabot
bot
changed the title
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/web/picomatch-4.0.4
branch
from
dd4b7ac to
7225c6a
Compare
nhopeatall
left a comment
nhopeatall
left a comment
There was a problem hiding this comment.
Summary
Straightforward dependabot security bump of picomatch 4.0.3 → 4.0.4, fixing CVE-2026-33671 and CVE-2026-33672. Only web/package-lock.json is modified.
The core change (picomatch version bump) is correct and desirable. The lock file also includes collateral re-resolution changes that are typical of npm install regenerating the lockfile:
- New nested deps for
@tailwindcss/oxide-wasm32-wasi(alldev,optional,inBundle) - Removal of standalone
@trpc/serverandreact-isentries (both werepeer: true) - Several packages correctly reclassified as
"dev": true(@types/react,csstype,tailwindcss,typescript)
These are all normal npm lock file re-resolution artifacts and not concerning.
CI Note
The lint-and-test check is failing. Since this PR only changes the lock file, this failure is likely either pre-existing on the base branch or caused by the base branch (dev) having advanced significantly since this PR was opened. Worth verifying whether lint-and-test passes on dev currently — if it does, rebasing this PR on latest dev should resolve it. If it fails on dev too, it's unrelated to this PR.
LGTM — the security fix should be merged. Recommend rebasing on latest dev to resolve the CI failure.
🕵️ claude-code · claude-opus-4-6 · run details
aaight
force-pushed
the
dependabot/npm_and_yarn/web/picomatch-4.0.4
branch
from
7225c6a to
8ab663a
Compare
|
@dependabot rebase |
|
Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry! If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request |
|
@dependabot recreate |
Bumps [picomatch](https://github.com/micromatch/picomatch) from 4.0.3 to 4.0.4. - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) --- updated-dependencies: - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/web/picomatch-4.0.4
branch
from
8ab663a to
3b8725e
Compare
Security patches for two advisories blocked on Dependabot: - vite 6.4.1 → 6.4.2: path traversal in optimize deps sourcemap handler, server.fs check for env transport (vitejs/vite#22161, #22159) - picomatch 4.0.3 → 4.0.4: CVE-2026-33671, CVE-2026-33672 Replaces #1088 and #1058, which were stuck on CI because Dependabot's lockfile regeneration produced a divergent lockfile vs. dev (dropped @trpc/server and react-is resolved entries, added platform-specific tailwindcss-oxide-wasm32-wasi nested entries). Rather than iterate on @dependabot recreate, bundled both bumps into a single manual PR with a lockfile regenerated from dev's current state. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Superseded by #1098 — Dependabot's regenerated lockfile kept diverging from |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Security patches for two advisories blocked on Dependabot: - vite 6.4.1 → 6.4.2: path traversal in optimize deps sourcemap handler, server.fs check for env transport (vitejs/vite#22161, #22159) - picomatch 4.0.3 → 4.0.4: CVE-2026-33671, CVE-2026-33672 Replaces #1088 and #1058, which were stuck on CI because Dependabot's lockfile regeneration produced a divergent lockfile vs. dev (dropped @trpc/server and react-is resolved entries, added platform-specific tailwindcss-oxide-wasm32-wasi nested entries). Rather than iterate on @dependabot recreate, bundled both bumps into a single manual PR with a lockfile regenerated from dev's current state. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2 participants
Bumps picomatch from 4.0.3 to 4.0.4.
Release notes
Sourced from picomatch's releases.
Commits
e5474fcPublish 4.0.44516eb5Merge commit from fork5eceecdMerge commit from fork0db7dd7Run benchmark again against latest minimatch version (#161)9500377docs: clarify what brace expansion syntax is and isn't supported (#134)2661f23fix typo in globstars.js test name (#138)1798b07docs: fixmakeReexample (#143)9d76bc5chore: undocument removed options (#146)e4d718bRemove unused time-require (#160)38dffebchore(deps): pin dependencies (#158)