fix(security): upgrade picomatch, @hono/node-server, and glob to fix CVEs

[sergioestebance]

Summary

Resolves three high-severity Dependabot security alerts by adding pnpm.overrides to force patched transitive dependency versions:

• picomatch >=2.3.2 / >=4.0.4 — CVE-2026-33671 (ReDoS via extglob quantifiers)
• @hono/node-server >=1.19.10 — CVE-2026-29087 (authorization bypass for protected static paths via encoded slashes)
• glob >=10.5.0 — CVE-2025-64756 (CLI command injection via -c/--cmd with shell:true)

Affected lockfiles

Lockfile	picomatch	@hono/node-server	glob
javascript/pnpm-lock.yaml	2.3.1→2.3.2, 4.0.3→4.0.4	—	—
docs/pnpm-lock.yaml	2.3.1→2.3.2, 4.0.2→4.0.4	1.19.6→2.0.1	10.4.5→10.5.0
python/examples/lovable_clone/template/pnpm-lock.yaml	2.3.1→2.3.2, 4.0.3→4.0.4	—	—

Closes https://github.com/langwatch/scenario/security/dependabot/281
Closes https://github.com/langwatch/scenario/security/dependabot/198
Closes https://github.com/langwatch/scenario/security/dependabot/67

Test plan

• pnpm install --lockfile-only succeeds in all affected directories
• Lockfiles contain only patched versions of the affected packages
• CI passes (no runtime regressions from version bumps)

[sergioestebance]

Security Impact Assessment

Deep analysis of each dependency upgrade to confirm safety before merging.

---

1. picomatch — 2.3.1→2.3.2, 4.0.3→4.0.4 (CVE-2026-33671)

Where is it used? Transitive dependency only — pulled in by micromatch, anymatch, tinyglobby, fdir, which are themselves dependencies of dev/build tooling: vite, vitest, jest, eslint, tsup.

Is it in production? No. Zero direct imports of picomatch anywhere in the source code. The published @langwatch/scenario npm package ships only the dist/ folder (per the "files" field). picomatch is not bundled — it's only used at build/test time.

Affected lockfiles:

• javascript/pnpm-lock.yaml — dev tooling (vitest, jest, eslint, tsup)
• docs/pnpm-lock.yaml — docs build (vite, rollup)
• python/examples/lovable_clone/template/pnpm-lock.yaml — example app (vite)

Breaking changes? None. Both 2.3.2 and 4.0.4 are patch releases containing only the ReDoS security fix. No API changes.

Verdict: ✅ Safe to merge. Dev-only, patch-level security fix, no behavioral changes.

---

2. @hono/node-server — 1.19.6→1.19.10 (CVE-2026-29087)

Where is it used? Transitive dependency of vocs (the docs site builder), used only in docs/.

Is it in production? No. The docs site builds to static HTML deployed to GitHub Pages. @hono/node-server is used only by the vocs dev server (vocs dev, vocs preview) — it has zero runtime presence in the deployed site or the npm package.

Version pinning: Initially the override resolved to 2.0.1 (a major version jump). This was corrected — the override now pins to 1.19.10 (same major version, minimum patched release) to avoid any potential breaking changes from the 1.x→2.x boundary.

Breaking changes? None. 1.19.6→1.19.10 is a patch-level bump within the same minor version. Only contains the URL-decoding security fix.

Node.js compatibility: 1.19.10 requires Node >=18.14.1 (same as 1.19.6). CI uses Node 24.x and LTS (22.x) — fully compatible.

Verdict: ✅ Safe to merge. Docs-only, dev-server-only, patch-level fix, static output unaffected.

---

3. glob — 10.4.5→10.5.0 (CVE-2025-64756)

Where is it used? Transitive dependency in docs/pnpm-lock.yaml only, pulled in by @npmcli/map-workspaces, @npmcli/package-json, and unified-engine (markdown processing for docs).

Is it in production? No. Not a dependency of the @langwatch/scenario npm package at all. javascript/pnpm-lock.yaml already had glob@10.5.0 (patched).

Does the CVE apply? No, even in docs. CVE-2025-64756 only affects the glob CLI (glob -c/--cmd with shell: true). Searched all scripts, CI workflows, and Makefiles — zero usage of glob -c or glob --cmd anywhere. The glob library API (which is what the transitive dependents use) is unaffected.

Breaking changes? None. 10.4.5→10.5.0 is a minor version bump. The CLI fix changes internal shell execution behavior; the library API is unchanged.

Verdict: ✅ Safe to merge. Docs-only transitive dep, CVE doesn't apply to library usage, minor version bump.

---

Summary

Package	Production code?	Shipped in npm?	Version bump type	Breaking changes?	CVE applies?
picomatch	❌ Dev/build only	❌	Patch (2.3.1→2.3.2, 4.0.3→4.0.4)	❌	Theoretical (ReDoS with untrusted globs)
@hono/node-server	❌ Docs dev server only	❌	Patch (1.19.6→1.19.10)	❌	Theoretical (auth bypass on static paths)
glob	❌ Docs build tooling only	❌	Minor (10.4.5→10.5.0)	❌	❌ CLI-only, not used

All three vulnerabilities are in transitive dev/build dependencies that never reach production. The actual security risk to this project is negligible, but the overrides are the right fix for Vanta/compliance — they eliminate the alerts with zero risk of regression.

Risk of breakage

None. All version bumps are patch or minor, all packages are dev-time only, and none are directly imported. The lockfiles regenerated cleanly with pnpm install --lockfile-only.

[github-actions]

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

This PR's diff exceeds the size limit for automated low-risk evaluation. Manual review required.

This PR requires a manual review before merging.