Skip to content

fix(deps): update picomatch to 4.0.4 in core-ingestion#115

Merged
TannerTorrey3 merged 1 commit intomainfrom
fix/picomatch-vulnerability
Apr 1, 2026
Merged

fix(deps): update picomatch to 4.0.4 in core-ingestion#115
TannerTorrey3 merged 1 commit intomainfrom
fix/picomatch-vulnerability

Conversation

@josephismikhail
Copy link
Copy Markdown
Contributor

@josephismikhail josephismikhail commented Apr 1, 2026

Resolves Dependabot alert #2 — Method Injection in POSIX Character Classes causes incorrect Glob Matching (moderate).

Summary

Bumps picomatch from 4.0.3 to 4.0.4 in core-ingestion. The vulnerable version allowed method injection via POSIX character classes, causing incorrect glob matching. This is a transitive dependency, so only package-lock.json changed.

Type

  • Bug fix
  • Feature
  • Refactor
  • Docs
  • Test
  • CI

Changes

  • Bumped picomatch from 4.0.3 → 4.0.4 in core-ingestion/package-lock.json

Validation

Ran npm audit in core-ingestion/ after update. 0 vulnerabilities found.

Checklist

  • Tests pass
  • Smoke tests pass
  • No raw errors introduced
  • CLI output follows Ix format

@jsmikhai @claude
fix(deps): update picomatch to 4.0.4 in core-ingestion
ff0364f 
Resolves Dependabot alert #2 — Method Injection in POSIX Character
Classes causes incorrect Glob Matching (moderate).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@TannerTorrey3 TannerTorrey3 merged commit 75d058c into main Apr 1, 2026
10 checks passed
@TannerTorrey3 TannerTorrey3 deleted the fix/picomatch-vulnerability branch April 3, 2026 01:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@josephismikhail @TannerTorrey3 @jsmikhai