fix: bump minimatch 10.2.1→10.2.3 (CVE-2026-27903, CVE-2026-27904)

[ajitpratap0]

Bumps minimatch from 10.2.1 to 10.2.3 in vscode-extension to resolve HIGH severity CVEs:

• CVE-2026-27903
• CVE-2026-27904

Updates both the direct dependency and the override in package.json.

[claude]

Claude finished @ajitpratap0's task —— View job

---

Security Dependency Update Review

Reviewing the minimatch dependency update to address CVEs CVE-2026-27903 and CVE-2026-27904.

Todo List:

• Examine package.json changes
• Review package-lock.json updates
• Assess security implications of CVE fixes
• Check for potential compatibility issues
• Evaluate test coverage needs
• Provide comprehensive review feedback

---

Review Summary

✅ APPROVED - This is a clean, well-implemented security update that should be merged.

Code Quality Analysis

✅ Excellent Implementation

• Proper dual update: Both package.json override and package-lock.json are consistently updated to 10.2.3
• Clean diff: Only the necessary lines changed, maintaining file integrity
• Consistent versioning: No version conflicts or mismatches introduced

Security Assessment

✅ High Priority Security Fix

• Addresses HIGH severity CVEs: CVE-2026-27903 and CVE-2026-27904
• Version bump from 10.2.1 → 10.2.3 follows semantic versioning (patch release)
• Uses override mechanism to ensure all transitive dependencies use the secure version

⚠️ Note: These CVE numbers appear to be from future dates (2026), which may be typos. However, the security update approach is correct regardless.

Compatibility Analysis

✅ Backward Compatible

• Node.js support expanded: Engine requirement changed from "20 || >=22" to "18 || 20 || >=22" (adds Node 18 support)
• Same major version: 10.x.x patch update maintains API compatibility
• No breaking changes: Dependencies remain consistent (brace-expansion: ^5.0.2)

Performance Considerations

✅ No Performance Impact

• Patch-level version bump typically includes only bug/security fixes
• Same dependency tree structure maintained
• No changes to core functionality expected

Test Coverage Assessment

✅ Existing Test Suite Should Validate
The extension has comprehensive test coverage at vscode-extension/src/test/:

• Unit tests: commands.test.ts, lsp.test.ts, validation.test.ts, errorRecovery.test.ts
• Integration tests: gosqlx.test.ts
• Extension tests: extension.test.ts

Recommendations

1. ✅ Merge immediately - This addresses HIGH severity security vulnerabilities
2. Consider: Run npm test locally to verify no regressions (blocked by tool permissions)
3. Follow-up: Verify the CVE numbers are correct (2026 dates seem unusual)
4. Best practice: The dual update approach (override + lock file) is exactly right for security patches

Technical Details

• Files changed: vscode-extension/package.json:269, vscode-extension/package-lock.json:3487
• Dependency tree: No transitive dependency changes
• Lock file integrity: SHA and metadata properly updated

This is a textbook example of a proper security dependency update. The implementation is clean, thorough, and follows best practices.