fix: minimatch remediation: upgrade glob v8→v11

[Copilot]

Part of the broader minimatch < 9.0.7 remediation. Addresses two dependency chains that pulled in vulnerable minimatch versions.

Changes

tools/scripts-utils — glob v8 → v11

• Bumped glob from ^8.1.0 to ^11.0.0
• Rewrote globMatch() to use glob v11's native async API instead of the removed callback form

// Before (glob@8 callback API)
glob(pattern, (error, files) => { resolve(files.length > 0) })

// After (glob@11 async API)
const { glob } = require('glob');
const files = await glob(pattern);
return files.length > 0;

Eliminates: minimatch@5.1.6 via glob@8 → minimatch@5

packages/forms — remove unused storybook v7 addon packages

• Removed @storybook/addon-actions@^7.6.21 and @storybook/addon-controls@^7.6.21 from devDependencies
• Neither is imported anywhere in the codebase; controls/actions are bundled into storybook core in v10 (no separate packages exist)

Eliminates: minimatch@9.0.5 via @storybook/core-common → glob → minimatch

Already done (no changes needed)

• PR 1 (remove codecov from fork/dynamic-cdn-webpack-plugin) ✓
• PR 2 (remove browser-sync from packages/design-system) ✓
• PR 5 (eslint-plugin-mdx v2→v3) ✓ — already at ^3.7.0

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Minimatch < 9.0.7 — Remediation Plan</issue_title>
<issue_description>
Security vulnerability in minimatch versions below 9.0.7. Each step = one dedicated PR.

---

PR 1 — Remove codecov from fork/dynamic-cdn-webpack-plugin DONE

• File: fork/dynamic-cdn-webpack-plugin/package.json
• Action: Remove codecov@^3.8.3 from devDependencies
• Why: codecov npm package is deprecated (Codecov migrated to GitHub Actions). No usage in code or scripts.
• Eliminates: minimatch@3.1.2 (via codecov → ignore-walk → minimatch)
• Effort: trivial
• Verify: yarn why minimatch — codecov chain gone

---

PR 2 — Remove browser-sync from packages/design-system DONE

• File: packages/design-system/package.json
• Action: Remove browser-sync@^3.0.4 and browser-sync-webpack-plugin@^2.4.0 from devDependencies
• Why: Both are unused — no imports, no script references, no webpack config usage anywhere in the design-system package
• Eliminates: minimatch@3.1.2 (via browser-sync → resp-modifier → minimatch)
• Effort: trivial
• Verify: yarn why minimatch — browser-sync chain gone

---

PR 3 — Upgrade glob in tools/scripts-utils (v8 → v11)

• File: tools/scripts-utils/package.json — update glob from ^8.1.0 to ^11.0.0

• Code change: tools/scripts-utils/src/glob.js — rewrite globMatch() from callback API to glob v11 native async API:

  // Before (glob@8 callback)
  glob(pattern, (error, files) => { ... })
  
  // After (glob@11 async)
  const { glob } = require('glob');
  const files = await glob(pattern);
  return files.length > 0;

• Eliminates: minimatch@5.1.6 (via glob@8 → minimatch@5)

• Effort: low — single function, ~5 lines

• Verify: yarn workspace @talend/scripts-utils test

---

PR 4 — Upgrade Storybook deps in packages/forms (v7 → v10)

• File: packages/forms/package.json
• Action: Update @storybook/addon-actions and @storybook/addon-controls from ^7.6.21 to ^10.2.1 (aligns with rest of repo already on Storybook 10.2)
• Eliminates: minimatch@9.0.5 (via @storybook/core-common → glob → minimatch)
• Effort: medium — Storybook 7→10 is a major jump; check addon API and story format changes
• Verify: yarn workspace @talend/react-forms build-storybook

---

PR 5 — Upgrade eslint-plugin-mdx in tools/scripts-config-eslint (v2 → v3)

• File: tools/scripts-config-eslint/package.json — update eslint-plugin-mdx from ^2.3.4 to ^3.x
• Compat: v3 works with ESLint 8+; "plugin:mdx/recommended" extends syntax still supported
• Eliminates: minimatch@5.1.6 (via eslint-mdx → unified-engine → glob) + minimatch@9.0.5 (via load-plugin → @npmcli/config → @npmcli/map-workspaces → glob)
• Effort: medium — verify MDX linting across packages
• Note: could alternatively fold into the ESLint 9 migration
• Verify: lint a package that contains MDX files

---

PR 6 — Replace or upgrade fantasticon in packages/icons

• File: packages/icons/package.json — fantasticon@^3.0.0 (devDependency)
• Problem: Already on latest major (v3). No upstream fix. Used as CLI only via npx fantasticon in packages/icons/scripts/build-webfont.mjs
• Pulls: minimatch@3.1.2, @5.1.6, @9.0.5 (triple offender — via svgicons2svgfont, cacache/rimraf, own glob)
• Options:
  • a) Replace with alternative (svgtofont, webfonts-generator, custom script)
  • b) File upstream issue and wait
  • c) Vendor/fork fantasticon with updated deps
• Effort: high — must validate font output (EOT, WOFF, WOFF2, TTF, SVG) + CSS generation with custom HBS templates + codepoint mappings
• Verify: yarn workspace @talend/icons build — compare generated font files

---

PR 7 — Replace or upgrade fork-ts-checker-webpack-plugin in tools/scripts-config-react-webpack

• File: tools/scripts-config-react-webpack/package.json — fork-ts-checker-webpack-plugin@^9.1.0
• Problem: Already on latest major (v9). No upstream fix. Used with default options.
• Code: webpack.config.js and webpack.config.common.js — useTypescript && new ForkTsCheckerWebpackPlugin()
• Pulls: minimatch@3.1.2
• Options:
  • a) Replace with ts-checker-rspack-plugin or tsc --noEmit script
  • b) File upstream issue and wait
  • c) Accept risk (build-time-only devDependency)
• Effort: medium
• Verify: Full webpack build on a TypeScript project using this config

---

Blocked — babel-jest / test-exclude chain

• Package: tools/babel-plugin-assets-api/package.json — babel-jest@^29.7.0
• Chain: babel-jest → babel-plugin-istanbul → test-exclude@6 → minimatch@3.1.2
• Status: No fix available. Jest 30 not yet released. test-exclude@7 uses minimatch@^9 but babel-plugin-istanbul@6 pins test-exclude@^6.
• Action: Monitor upstream. Re-evaluate wh...

• Fixes Minimatch < 9.0.7 — Remediation Plan #5734

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9d62cb4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Storybook for this PR deployed on this github page

[github-actions]

Title	Lines	Statements	Branches	Functions
assets-api		28.4% (25/88)	30.76% (16/52)	21.42% (3/14)
cmf		89.36% (1243/1391)	80.93% (607/750)	89.51% (350/391)
cmf-cqrs		87.43% (160/183)	70.23% (59/84)	84.21% (48/57)
cmf-router		69.23% (135/195)	55.71% (78/140)	56.81% (25/44)
components		90.7% (5565/6135)	81.59% (3196/3917)	88.14% (1390/1577)
containers		83.6% (1392/1665)	74.3% (694/934)	75% (327/436)
dataviz		85.71% (330/385)	65.28% (158/242)	75.94% (120/158)
design-system		66.49% (1016/1528)	50.84% (543/1068)	53.94% (219/406)
faceted-search		85.08% (639/751)	78.63% (287/365)	81.88% (226/276)
flow-designer		70.07% (651/929)	66.72% (355/532)	70.92% (200/282)
forms		86.27% (1640/1901)	75.89% (929/1224)	85.02% (460/541)
http		100% (85/85)	98.07% (51/52)	100% (34/34)
sagas		92.3% (24/26)	66.66% (4/6)	50% (2/4)
stepper		81.52% (150/184)	59.34% (54/91)	80.85% (38/47)
utils		100% (73/73)	90.9% (10/11)	100% (24/24)