fix: upgrade picomatch to 4.0.4, 3.0.2, 2.3.2 (CVE-2026-33671)

[orbisai0security]

Summary

Upgrade picomatch from 2.3.1 to 4.0.4, 3.0.2, 2.3.2 to fix CVE-2026-33671.

Vulnerability

Field	Value
ID	CVE-2026-33671
Severity	HIGH
Scanner	trivy
Rule	CVE-2026-33671
File	api-docs/pnpm-lock.yaml

Description: picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns

Changes

• api-docs/package.json
• api-docs/pnpm-lock.yaml

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 802e509. Configure here.}

[orbisai0security]

✅ Review Feedback Addressed

I've automatically addressed 1 review comment(s):

The reviewer correctly identified that picomatch is only a transitive dependency (of anymatch and micromatch) and should not appear in dependencies. The project already uses pnpm.overrides for this purpose (e.g., lodash, form-data, glob>minimatch). The fix:

1. api-docs/package.json: Remove picomatch from dependencies and add it to pnpm.overrides instead.
2. api-docs/pnpm-lock.yaml: Add picomatch: 2.3.2 to the overrides section and remove it from the importers direct-dependency block (since it's no longer a declared direct dep — it remains in packages and snapshots as a transitive dep, which is correct).

Files modified:

• api-docs/package.json
• api-docs/pnpm-lock.yaml

The changes have been pushed to this PR branch. Please review!