fix: update minimatch override to resolve high severity ReDoS vulnerabilities

[shrugs]

Summary

• updated pnpm.overrides for minimatch from <10.2.2 -> >=10.2.2 to <10.2.3 -> ^10.2.3
• resolves minimatch 10.2.2 (transitive via tsup > sucrase > glob > minimatch) to 10.2.4

---

Why

• pnpm audit reported 2 high severity ReDoS vulnerabilities in minimatch >=10.0.0 <10.2.3 (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74)
• existing override only covered versions below 10.2.2, missing the 10.2.2 version itself

---

Testing

• ran pnpm audit --audit-level=moderate before and after — 2 high vulnerabilities resolved, 0 moderate+ remaining

---

Checklist

• This PR does not change runtime behavior or semantics
• This PR is low-risk and safe to review quickly

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 09d291d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Error		Feb 27, 2026 8:21am
ensnode.io	Error		Feb 27, 2026 8:21am
ensrainbow.io	Error		Feb 27, 2026 8:21am

[coderabbitai]

📝 Walkthrough

Walkthrough

Update PNPM dependency override for minimatch package. The version constraint in package.json changes from minimatch@<10.2.2 to minimatch@<10.2.3, with the corresponding lower bound adjusted from >=10.2.2 to >=10.2.3.

Changes

Cohort / File(s)	Summary
PNPM Overrides package.json	Updated minimatch version constraint from <10.2.2 to <10.2.3 and lower bound from >=10.2.2 to >=10.2.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• deps: address security issues #1656: Modifies the minimatch override version bounds in package.json similarly, suggesting a coordinated dependency constraint update across related projects.

Poem

🐰 A tiny hop, a version bump so small,
From 10.2.2 to 10.2.3 we crawl,
Dependencies dance in the override night,
Minimatch moves with a swift, sure bite! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: updating the minimatch override to resolve high severity ReDoS vulnerabilities.
Description check	✅ Passed	The PR description covers all required template sections with clear, relevant details: summary of changes, explanation of why the fix is needed, testing validation, and completion of the blocking checklist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/minimatch-audit-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR correctly updates the minimatch dependency override to resolve 2 high severity ReDoS vulnerabilities (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) affecting versions >=10.0.0 <10.2.3.

• Updated override from minimatch@<10.2.2 to minimatch@<10.2.3, fixing the gap where version 10.2.2 itself was not covered by the previous override
• Changed resolution from >=10.2.2 to ^10.2.3, which resolves to 10.2.4
• All transitive dependencies properly updated in lockfile

Confidence Score: 5/5

• This PR is safe to merge with no risk
• This is a straightforward security patch that only updates dependency overrides to resolve known vulnerabilities. The change is minimal, well-tested (pnpm audit verified), and does not affect runtime behavior or semantics.
• No files require special attention

Important Files Changed

Filename	Overview
package.json	Updated minimatch override from <10.2.2 -> >=10.2.2 to <10.2.3 -> ^10.2.3 to address ReDoS vulnerabilities
pnpm-lock.yaml	Auto-generated lockfile update resolving minimatch from 10.2.2 to 10.2.4

_{Last reviewed commit: ffad371}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[Copilot]

Pull request overview

This PR updates the pnpm override for the minimatch package to address two high severity ReDoS (Regular Expression Denial of Service) vulnerabilities in versions >=10.0.0 <10.2.3. The override pattern is adjusted to exclude versions below 10.2.3 and resolve to 10.2.4, which contains the security fixes.

Changes:

• Updated minimatch override from <10.2.2 -> >=10.2.2 to <10.2.3 -> ^10.2.3
• Resolved all transitive minimatch dependencies to version 10.2.4 in the lockfile

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Updated pnpm.overrides entry for minimatch to exclude vulnerable versions
pnpm-lock.yaml	Updated all minimatch package resolutions and snapshots to version 10.2.4

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lightwalker-eth]

Looks good 👍

[vercel]

pnpm-lock.yaml contains outdated minimatch override constraint that doesn't match package.json, causing frozen lockfile configuration mismatch error

[Copilot]

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The override selector minimatch@<10.2.3 applies to all minimatch versions below 10.2.3 (including older major versions). Since the reported advisory range is for >=10.0.0 <10.2.3, it would be safer to scope the selector accordingly (e.g. add a >=10.0.0 lower bound) so future dependencies on older minimatch majors aren’t forcibly upgraded to 10.x.

Suggested change

	"minimatch@<10.2.3": ">=10.2.3",
	"minimatch@>=10.0.0 <10.2.3": ">=10.2.3",

[Copilot]

The override value is >=10.2.3, which can allow a future major minimatch release to be selected. To reduce risk of unintended breaking changes from a security override, consider constraining the override value to the desired major (e.g. ^10.2.3 or >=10.2.3 <11).

Suggested change

	"minimatch@<10.2.3": ">=10.2.3",
	"minimatch@<10.2.3": ">=10.2.3 <11",

[Copilot]

PR description says the package.json override was changed to ^10.2.3, but the actual override value here is >=10.2.3. Please align the description with the implemented change (or vice-versa) to avoid confusion for reviewers/auditors.

[Copilot]

pnpm-lock.yaml records the minimatch override as ^10.2.3, which does not match package.json (currently >=10.2.3) and also differs from the quoting style used for other override values in the lockfile. Regenerate the lockfile after finalizing the intended override so package.json and pnpm-lock.yaml stay in sync and installs don’t produce churn.

Suggested change

	minimatch@<10.2.3: ^10.2.3
	minimatch@<10.2.3: '>=10.2.3'

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 46: Update the override value for the "minimatch@<10.2.3" entry so it is
constrained to major version 10 rather than open-ended; replace the current
">=10.2.3" range with a range bounded below by 10.2.3 and strictly below 11 (for
example ">=10.2.3 <11.0.0") so future major releases of minimatch are not
automatically pulled.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 91d7653 and 09d291d.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, check if package.json exists and show line 46
echo "=== Current package.json line 46 ==="
if [ -f "package.json" ]; then
  sed -n '46p' package.json
else
  echo "package.json not found"
  exit 1
fi

# Check the full pnpm overrides section if it exists
echo ""
echo "=== Full pnpm.overrides section ==="
jq '.pnpm.overrides // "No pnpm overrides found"' package.json 2>/dev/null || echo "Could not read pnpm.overrides"

# Check minimatch current version info from npm registry
echo ""
echo "=== Minimatch on npm registry ==="
if command -v curl &> /dev/null; then
  MINIMATCH_INFO=$(curl -s https://registry.npmjs.org/minimatch 2>/dev/null || echo "")
  if [ -n "$MINIMATCH_INFO" ]; then
    echo "Latest tag: $(echo "$MINIMATCH_INFO" | jq -r '."dist-tags".latest // "N/A"' 2>/dev/null)"
    echo "Available versions (last 10):"
    echo "$MINIMATCH_INFO" | jq -r '.versions | keys | .[-10:] | .[]' 2>/dev/null || echo "Could not extract versions"
  else
    echo "Could not fetch from npm registry"
  fi
else
  echo "curl not available"
fi

Repository: namehash/ensnode

Length of output: 740

---

Constrain the override to the patched major to avoid accidental future breakage.

Using >=10.2.3 is open-ended and will pull future major releases of minimatch when they are published. For a security-only fix, pinning within major 10 is safer and still resolves the ReDoS vulnerability in <10.2.3.

🔧 Proposed fix

-      "minimatch@<10.2.3": ">=10.2.3",
+      "minimatch@<10.2.3": "^10.2.3",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"minimatch@<10.2.3": ">=10.2.3",
	"minimatch@<10.2.3": "^10.2.3",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 46, Update the override value for the
"minimatch@<10.2.3" entry so it is constrained to major version 10 rather than
open-ended; replace the current ">=10.2.3" range with a range bounded below by
10.2.3 and strictly below 11 (for example ">=10.2.3 <11.0.0") so future major
releases of minimatch are not automatically pulled.

[shrugs]

superseded by #1696