fix(deps): fix minimatch only for eslint

[timoa]

Description

The previous release had a build issue. The root cause was that the flat "minimatch": ">=10.2.3" override forced all consumers — including @vscode/vsce which requires ^3.0.3 — onto v10, which dropped the CommonJS default export that @vscode/vsce depends on. The fix replaces it with a scoped override "@typescript-eslint/typescript-estree>minimatch": ">=9.0.7" that only targets the specific vulnerable path, leaving @vscode/vsce's v3 minimatch untouched.

Type of change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that changes existing behaviour)
• Documentation update
• Refactor/code quality improvement
• Dependency update

Checklist

Code quality

• My commit messages follow Conventional Commits (e.g. feat:, fix:, docs:, chore:)
• I have not introduced any TypeScript types without justification
• I have not left debug code, console.log, or commented-out blocks

Testing

• I have tested the changes locally by pressing F5 in VSCode to launch the Extension Development Host
• I have run pnpm test, and all tests pass
• I have run pnpm lint, and there are no lint errors
• I have added or updated tests to cover my changes (if applicable)

Build & compatibility

• I have run pnpm run compile and pnpm run webpack without errors
• The extension works in VSCode (and ideally Cursor/Windsurf)

Documentation

• I have updated the README.md if my change adds a new feature, keyboard shortcut, or changes existing behaviour
• I have updated or added JSDoc comments for non-obvious logic (if applicable)

Screenshots/recordings

Summary by CodeRabbit

• Chores
  • Updated build system dependency configuration to refine package resolution.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2538de2 and ee6b3be.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

Replaced a global minimatch version override with a scoped override for minimatch as a dependency of @typescript-eslint/typescript-estree in pnpm.overrides, updating the minimum version requirement from >=10.2.3 to >=9.0.7.

Changes

Cohort / File(s)	Summary
Dependency Override Update package.json	Changed pnpm.overrides from global minimatch constraint (>=10.2.3) to scoped @typescript-eslint/typescript-estree>minimatch constraint (>=9.0.7), narrowing the dependency override target.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix(deps): fix vulnerabilities in rollup, minimatch & serialize-javascript #70: Also modifies pnpm.overrides for minimatch with a scoped key override approach for dependency resolution.

Suggested labels

bug

Poem

🐰 A tiny hop through deps so deep,
Where minimatch versions are stowed and keep,
From global reach to scoped delight,
TypeScript-estree now gets it right,
One rabbit's fix, so small yet precise!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: replacing a global minimatch override with a scoped override targeting only the eslint dependency path.
Description check	✅ Passed	The description covers all key information: explains the problem, describes the solution, indicates type as dependency update, and includes completed checklist items demonstrating testing and build validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/fix-minimatch-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🩺 React Doctor

react-doctor v0.0.29

�[32m✔�[39m Select projects to scan �[2m›�[22m workflow-visual-editor
�[33mNo feature branch or uncommitted changes detected. Running full scan.�[39m

�[2mScanning /home/runner/work/workflow-editor/workflow-editor...�[22m


  �[33m⚠�[39m Array index "idx" used as key — causes bugs when list is reordered or filtered�[33m (12)�[39m
�[2m    Use a stable unique identifier: `key={item.id}` or `key={item.slug}` — index keys break on reorder/filter�[22m
�[2m    src/components/TriggerNode.tsx: 26�[22m
�[2m    src/components/JobPropertyPanel.tsx: 885�[22m
�[2m    src/components/SourceCodeDialog.tsx: 206�[22m
�[2m    src/webview/components/TriggerNode.tsx: 26�[22m
�[2m    src/webview/App.tsx: 649�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 885�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 220�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 144�[22m
�[2m    src/components/TriggerBadge.tsx: 64�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 144�[22m
�[2m    src/webview/components/TriggerBadge.tsx: 64�[22m
�[2m    src/App.tsx: 632�[22m

  �[33m⚠�[39m Enforce a clickable non-interactive element has at least one keyboard event listener.�[33m (20)�[39m
�[2m    Visible, non-interactive elements with click handlers must have one of `keyup`, `keydown`, or `keypress` listener.�[22m
�[2m    src/components/PasteYamlDialog.tsx: 21, 28�[22m
�[2m    src/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/components/SourceCodeDialog.tsx: 146, 153�[22m
�[2m    src/components/ConfirmDialog.tsx: 30, 37�[22m
�[2m    src/webview/components/PasteYamlDialog.tsx: 21, 28�[22m
�[2m    src/components/RunScriptDialog.tsx: 111, 118�[22m
�[2m    src/webview/App.tsx: 533�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 160, 167�[22m
�[2m    src/webview/components/ConfirmDialog.tsx: 30, 37�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 123, 130�[22m
�[2m    src/App.tsx: 489�[22m

  �[33m⚠�[39m Static HTML elements with event handlers require a role.�[33m (10)�[39m
�[2m    Add a role attribute to this element, or use a semantic HTML element instead.�[22m
�[2m    src/components/PasteYamlDialog.tsx: 28�[22m
�[2m    src/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/components/SourceCodeDialog.tsx: 153�[22m
�[2m    src/components/ConfirmDialog.tsx: 37�[22m
�[2m    src/webview/components/PasteYamlDialog.tsx: 28�[22m
�[2m    src/components/RunScriptDialog.tsx: 118�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 167�[22m
�[2m    src/webview/components/ConfirmDialog.tsx: 37�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 130�[22m

  �[33m⚠�[39m A form label must be associated with a control.�[33m (45)�[39m
�[2m    Either give the label a `htmlFor` attribute with the id of the associated control, or wrap the label around the control.�[22m
�[2m    src/components/JobPropertyPanel.tsx: 200, 212, 219, 277, 359, 401, 426, 494, 851, 874, 915�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 200, 212, 219, 277, 359, 401, 426, 494, 851, 874, 915�[22m
�[2m    src/components/WorkflowPropertyPanel.tsx: 71, 81, 92�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 130, 158, 175, 219, 263, 325, 369, 414�[22m
�[2m    src/webview/components/WorkflowPropertyPanel.tsx: 71, 81, 92�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 130, 158, 175, 219, 263, 325, 369, 414, 432�[22m

  �[33m⚠�[39m Component "JobPropertyPanel" is 1016 lines — consider breaking it into smaller focused components�[33m (6)�[39m
�[2m    Extract logical sections into focused components: `<UserHeader />`, `<UserActions />`, etc.�[22m
�[2m    src/components/JobPropertyPanel.tsx: 40�[22m
�[2m    src/webview/App.tsx: 56�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 40�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 48�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 48�[22m
�[2m    src/App.tsx: 56�[22m

  �[33m⚠�[39m 3 setState calls in a single useEffect — consider using useReducer or deriving state�[33m (3)�[39m
�[2m    Combine into useReducer: `const [state, dispatch] = useReducer(reducer, initialState)`�[22m
�[2m    src/components/JobPropertyPanel.tsx: 139�[22m
�[2m    src/webview/App.tsx: 105�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 139�[22m

  �[33m⚠�[39m "@codemirror/view" is a heavy library — use React.lazy() or next/dynamic for code splitting�[33m (8)�[39m
�[2m    Use `const Component = dynamic(() => import('library'), { ssr: false })` from next/dynamic or React.lazy()�[22m
�[2m    src/components/SourceCodeDialog.tsx: 2, 3�[22m
�[2m    src/components/RunScriptDialog.tsx: 2, 3�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 2, 3�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 2, 3�[22m

  �[33m⚠�[39m Component "AppInner" has 13 useState calls — consider useReducer for related state�[33m (2)�[39m
�[2m    Group related state: `const [state, dispatch] = useReducer(reducer, { field1, field2, ... })`�[22m
�[2m    src/webview/App.tsx: 56�[22m
�[2m    src/App.tsx: 56�[22m

  �[2m┌────────────────────────────────────────────────────┐�[22m
  �[2m│�[22m �[32m┌─────┐�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m│ ◠ ◠ │�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m│  ▽  │�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m└─────┘�[39m                                            �[2m│�[22m
  �[2m│�[22m React Doctor �[2m(www.react.doctor)�[22m                    �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[32m94�[39m / 100  �[32mGreat�[39m                                    �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[32m███████████████████████████████████████████████�[39m�[2m░░░�[22m �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[33m⚠ 106 warnings�[39m  �[2macross 20/64 files�[22m  �[2min 711ms�[22m       �[2m│�[22m
  �[2m└────────────────────────────────────────────────────┘�[22m

�[2m  Full diagnostics written to /tmp/react-doctor-56482496-2e83-42e5-a9a1-7fa6587ea927�[22m

�[2m  Share your results: �[36mhttps://www.react.doctor/share?p=workflow-visual-editor&s=94&w=106&f=20�[39m�[22m

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.68%. Comparing base (2538de2) to head (ee6b3be).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #71   +/-   ##
=======================================
  Coverage   93.68%   93.68%           
=======================================
  Files           8        8           
  Lines         269      269           
  Branches      101      101           
=======================================
  Hits          252      252           
  Misses          1        1           
  Partials       16       16           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[timoa-bot]

🎉 This PR is included in version 1.2.34 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀