Skip to content

revert: remove global minimatch resolution that broke glob@10/11#963

Merged
brendan-kellam merged 2 commits intomainfrom
brendan/revert-minimatch-resolution
Feb 27, 2026
Merged

revert: remove global minimatch resolution that broke glob@10/11#963
brendan-kellam merged 2 commits intomainfrom
brendan/revert-minimatch-resolution

Conversation

@brendan-kellam
Copy link
Contributor

@brendan-kellam brendan-kellam commented Feb 27, 2026

Summary

  • Reverts chore(deps): bump minimatch to ^3.1.3 #957 which added a global "minimatch": "^3.1.3" resolution
  • That resolution forced all minimatch instances to v3.x, breaking glob@10/11 used by @sourcebot/backend, @sourcebot/schemas, and react-email — these packages require minimatch@9+ for the GLOBSTAR named export
  • Without the global override, Yarn resolves each package to the minimatch version it actually needs (3.x, 8.x, 9.x, or 10.x)

Security verification

All resolved versions are above the patched thresholds for every known minimatch CVE:

Version CVE-2022-3517 (patch: 3.0.5) CVE-2026-26996 (patches: 3.1.3 / 8.0.5 / 9.0.6 / 10.2.1) CVE-2026-27903 (patches: 3.1.3 / 8.0.6 / 9.0.7 / 10.2.3)
minimatch@3.1.5 (eslint, nodemon, glob@7)
minimatch@8.0.7 (glob@9 / sentry)
minimatch@9.0.9 (glob@10, @typescript-eslint)
minimatch@10.2.4 (glob@11 / backend / schemas)

Test plan

  • yarn dev starts without SyntaxError: The requested module 'minimatch' does not provide an export named 'GLOBSTAR'
  • yarn why minimatch shows all versions at or above their respective patched thresholds

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated dependency resolution configuration to streamline package management settings.

Reverts #957. The global `"minimatch": "^3.1.3"` resolution forced all
minimatch instances to v3.x, which broke `glob@10/11` used by
`@sourcebot/backend`, `@sourcebot/schemas`, and `react-email` — these
require `minimatch@9+` for the `GLOBSTAR` export.

All resolved versions (3.1.5, 8.0.7, 9.0.9, 10.2.4) are above the
patched thresholds for CVE-2022-3517, CVE-2026-26996, and CVE-2026-27903.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions

This comment has been minimized.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 27, 2026

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd5ac2b and 179f566.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • CHANGELOG.md
  • package.json

Walkthrough

Removed a minimatch version resolution from package.json and its corresponding changelog entry. These changes revert an earlier version pin that specified minimatch at ^3.1.3 via yarn resolutions.

Changes

Cohort / File(s) Summary
Dependency Resolution Cleanup
CHANGELOG.md, package.json
Removed minimatch entry from packageManager resolutions and deleted the corresponding changelog note documenting the version bump.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch brendan/revert-minimatch-resolution

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@brendan-kellam brendan-kellam merged commit 7f7516c into main Feb 27, 2026
5 checks passed
@brendan-kellam brendan-kellam deleted the brendan/revert-minimatch-resolution branch February 27, 2026 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant