Security: fix Dependabot alert #9 for minimatch (GHSA-7r86-cg39-jmmj)

[slashdevcorpse]

Dependabot Alert

• Alert: chore(deps-dev): bump vite from 7.3.1 to 7.3.2 #9
• Package: minimatch
• Severity: high
• Manifest: pnpm-lock.yaml
• Vulnerable range: >= 10.0.0, < 10.2.3
• Patched version: 10.2.3
• Advisory: GHSA-7r86-cg39-jmmj
• CVE: CVE-2026-27903
• Public advisory: GHSA-7r86-cg39-jmmj

Summary

minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Remediation

• Update the dependency graph so minimatch resolves outside the vulnerable range.
• Regenerate pnpm-lock.yaml.
• Run the app test/build checks and package dry run.
• Confirm GitHub Dependabot marks alert chore(deps-dev): bump vite from 7.3.1 to 7.3.2 #9 resolved after merge.