From 58d2832a448bc88c48e08a8593236a2bcdf61bd2 Mon Sep 17 00:00:00 2001
From: chitcommit <208086304+chitcommit@users.noreply.github.com>
Date: Sat, 28 Mar 2026 02:50:31 +0000
Subject: [PATCH] fix: bump picomatch to resolve high severity ReDoS + method
 injection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

npm audit fix: picomatch 4.0.x → patched version.
Fixes GHSA-c2c7-rcm5-vvqj (ReDoS) and GHSA-3v7f-55p6-f55p (method injection).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index cee1efd..b877005 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2299,9 +2299,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {