fix(deps): override picomatch in desktop to fix ReDoS and method injection vulnerabilities

Adds pnpm override for picomatch >=4.0.4 in the desktop workspace
since pnpm update alone did not resolve the transitive dependency.
This commit is contained in:
kolaente 2026-03-25 23:34:01 +01:00
parent 98ac119f44
commit d207de82ef
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
2 changed files with 11 additions and 9 deletions

View File

@ -66,7 +66,8 @@
"overrides": {
"minimatch": "^10.2.3",
"tar": "^7.5.11",
"@tootallnate/once": "^3.0.1"
"@tootallnate/once": "^3.0.1",
"picomatch": ">=4.0.4"
}
}
}

View File

@ -8,6 +8,7 @@ overrides:
minimatch: ^10.2.3
tar: ^7.5.11
'@tootallnate/once': ^3.0.1
picomatch: '>=4.0.4'
importers:
@ -643,7 +644,7 @@ packages:
resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
engines: {node: '>=12.0.0'}
peerDependencies:
picomatch: ^3 || ^4
picomatch: '>=4.0.4'
peerDependenciesMeta:
picomatch:
optional: true
@ -1150,8 +1151,8 @@ packages:
pend@1.2.0:
resolution: {integrity: sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==}
picomatch@4.0.3:
resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==}
picomatch@4.0.4:
resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==}
engines: {node: '>=12'}
plist@3.1.0:
@ -2449,9 +2450,9 @@ snapshots:
dependencies:
pend: 1.2.0
fdir@6.5.0(picomatch@4.0.3):
fdir@6.5.0(picomatch@4.0.4):
optionalDependencies:
picomatch: 4.0.3
picomatch: 4.0.4
filelist@1.0.4:
dependencies:
@ -2982,7 +2983,7 @@ snapshots:
pend@1.2.0: {}
picomatch@4.0.3: {}
picomatch@4.0.4: {}
plist@3.1.0:
dependencies:
@ -3310,8 +3311,8 @@ snapshots:
tinyglobby@0.2.15:
dependencies:
fdir: 6.5.0(picomatch@4.0.3)
picomatch: 4.0.3
fdir: 6.5.0(picomatch@4.0.4)
picomatch: 4.0.4
tmp-promise@3.0.3:
dependencies: