deps: resolve minimatch dependabot vulnerabilities

[Copilot]

Three ReDoS CVEs in minimatch (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) affect transitive dependencies across three major version lines pinned in yarn.lock and package-lock.json.

Vulnerable → patched versions

Range	Was	Now
3.x	3.1.2	3.1.5
9.x	9.0.5	9.0.9
10.x	10.1.1	10.2.4

Approach

Added overrides (npm) and resolutions (yarn) to package.json. A global resolutions entry forces 3.x consumers (ESLint packages, serve-handler) to 3.1.5, with path-specific overrides preserving the correct major for packages requiring newer APIs:

"overrides": {
  "serve-handler": { "minimatch": "3.1.5" },
  "@typescript-eslint/typescript-estree": { "minimatch": "9.0.9" },
  "@ts-morph/common": { "minimatch": "10.2.4" },
  "glob": { "minimatch": "10.2.4" }
},
"resolutions": {
  "minimatch": "3.1.5",
  "@typescript-eslint/typescript-estree/minimatch": "9.0.9",
  "@ts-morph/common/minimatch": "10.2.4",
  "glob/minimatch": "10.2.4"
}

Both yarn.lock and package-lock.json have been regenerated accordingly.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>deps: resolve dependabot issues</issue_title>
<issue_description>https://github.com/celestiaorg/docs/security/dependabot?q=is%3Aopen+manifest%3Ayarn.lock+package%3Aminimatch</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes deps: resolve dependabot issues #2454

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

---

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.