From d207de82ef61c2caf62faa528db4e3dc57ffa78a Mon Sep 17 00:00:00 2001 From: kolaente Date: Wed, 25 Mar 2026 23:34:01 +0100 Subject: [PATCH] fix(deps): override picomatch in desktop to fix ReDoS and method injection vulnerabilities Adds pnpm override for picomatch >=4.0.4 in the desktop workspace since pnpm update alone did not resolve the transitive dependency. --- desktop/package.json | 3 ++- desktop/pnpm-lock.yaml | 17 +++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/desktop/package.json b/desktop/package.json index a19cf1233..35b9dc944 100644 --- a/desktop/package.json +++ b/desktop/package.json @@ -66,7 +66,8 @@ "overrides": { "minimatch": "^10.2.3", "tar": "^7.5.11", - "@tootallnate/once": "^3.0.1" + "@tootallnate/once": "^3.0.1", + "picomatch": ">=4.0.4" } } } diff --git a/desktop/pnpm-lock.yaml b/desktop/pnpm-lock.yaml index bbe5031dc..766a3c01c 100644 --- a/desktop/pnpm-lock.yaml +++ b/desktop/pnpm-lock.yaml @@ -8,6 +8,7 @@ overrides: minimatch: ^10.2.3 tar: ^7.5.11 '@tootallnate/once': ^3.0.1 + picomatch: '>=4.0.4' importers: @@ -643,7 +644,7 @@ packages: resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==} engines: {node: '>=12.0.0'} peerDependencies: - picomatch: ^3 || ^4 + picomatch: '>=4.0.4' peerDependenciesMeta: picomatch: optional: true @@ -1150,8 +1151,8 @@ packages: pend@1.2.0: resolution: {integrity: sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==} - picomatch@4.0.3: - resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==} + picomatch@4.0.4: + resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==} engines: {node: '>=12'} plist@3.1.0: @@ -2449,9 +2450,9 @@ snapshots: dependencies: pend: 1.2.0 - fdir@6.5.0(picomatch@4.0.3): + fdir@6.5.0(picomatch@4.0.4): optionalDependencies: - picomatch: 4.0.3 + picomatch: 4.0.4 filelist@1.0.4: dependencies: @@ -2982,7 +2983,7 @@ snapshots: pend@1.2.0: {} - picomatch@4.0.3: {} + picomatch@4.0.4: {} plist@3.1.0: dependencies: @@ -3310,8 +3311,8 @@ snapshots: tinyglobby@0.2.15: dependencies: - fdir: 6.5.0(picomatch@4.0.3) - picomatch: 4.0.3 + fdir: 6.5.0(picomatch@4.0.4) + picomatch: 4.0.4 tmp-promise@3.0.3: dependencies: