fix: remediate all HIGH severity transitive dependency vulnerabilities#3
fix: remediate all HIGH severity transitive dependency vulnerabilities#3devin-ai-integration[bot] wants to merge 3 commits intomainfrom
Conversation
…lnerabilities Adds overrides to resolve 6 HIGH severity vulnerabilities in transitive dependencies: - brace-expansion@1: 1.1.13 (CVE-2026-33750 - Infinite Loop) - brace-expansion@2: 2.0.3 (CVE-2026-33750 - Infinite Loop) - minimatch@3: 3.1.3 (CVE-2026-26996 - ReDoS) - minimatch@9: 9.0.6 (CVE-2026-26996 - ReDoS) - minimatch@10: 10.2.1 (CVE-2026-26996 - ReDoS) - picomatch: 2.3.2 (CVE-2026-33671 - ReDoS) All vulnerabilities are transitive via @rx-angular/cdk -> ng-morph. Co-Authored-By: sachet.agarwal <sachet.agarwal@windsurf.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Updated overrides for additional CVEs discovered in previous fix versions: - minimatch@9: 9.0.6 -> 9.0.7 (CVE-2026-27904, CVE-2026-27903) - minimatch@10: 10.2.1 -> 10.2.3 (CVE-2026-27904, CVE-2026-27903) Snyk re-scan confirms: 0 HIGH severity vulnerabilities remaining. Co-Authored-By: sachet.agarwal <sachet.agarwal@windsurf.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "minimatch@3": "3.1.3", | ||
| "minimatch@9": "9.0.7", | ||
| "minimatch@10": "10.2.3", | ||
| "picomatch": "2.3.2" |
There was a problem hiding this comment.
🔴 Unscoped picomatch override downgrades picomatch 4.x to 2.x for all consumers
The "picomatch": "2.3.2" override lacks version scoping (unlike the other overrides which use @version syntax), so it forces all picomatch instances to version 2.3.2—including packages that depend on picomatch 4.x. The package-lock.json confirms that vite, vitest, @angular/build, @angular-devkit/core, @parcel/watcher, and tinyglobby all had their picomatch 4.0.3 dependency downgraded to 2.3.2. This is a breaking major version downgrade that can cause runtime failures in the build toolchain, dev server, and test runner since picomatch 4.x has a different API surface from 2.x.
Evidence from package-lock.json
All these packages now resolve picomatch to 2.3.2 instead of 4.0.3:
node_modules/vite/node_modules/picomatch→ 2.3.2 (expects ^4.0.3)node_modules/vitest/node_modules/picomatch→ 2.3.2 (expects ^4.0.3)node_modules/@angular/build/node_modules/picomatch→ 2.3.2 (expects 4.0.3)node_modules/@angular-devkit/core/node_modules/picomatch→ 2.3.2 (expects 4.0.3)node_modules/tinyglobby/node_modules/picomatch→ 2.3.2 (expects ^4.0.3)node_modules/@parcel/watcher/node_modules/picomatch→ 2.3.2 (expects ^4.0.3)
The vulnerable dependency was only micromatch's picomatch (^2.3.1). The fix should scope the override to major version 2 only.
| "picomatch": "2.3.2" | |
| "picomatch@2": "2.3.2" |
Was this helpful? React with 👍 or 👎 to provide feedback.
There was a problem hiding this comment.
Good catch — fixed in 62ecb8f. Changed "picomatch" → "picomatch@2" so only the vulnerable 2.x instances (via micromatch) are overridden. Verified that picomatch 4.0.3 is now preserved for vite, vitest, @angular/build, etc. Snyk re-scan still confirms 0 HIGH vulnerabilities.
Addresses Devin Review feedback: the unscoped picomatch override was forcing all picomatch instances (including 4.x used by vite, vitest, @angular/build, etc.) down to 2.3.2. Scoping to picomatch@2 ensures only the vulnerable 2.x instances (via micromatch) are overridden. Snyk re-scan confirms: 0 HIGH severity vulnerabilities remaining. Co-Authored-By: sachet.agarwal <sachet.agarwal@windsurf.com>
Summary
Adds npm
overridesinpackage.jsonto remediate all HIGH severity vulnerabilities in transitive dependencies (all via@rx-angular/cdk→ng-morph):brace-expansion@1brace-expansion@2minimatch@3minimatch@9minimatch@10picomatch@2A
package-lock.jsonwas generated vianpm install --legacy-peer-depsto resolve the overrides.Updates since last revision
minimatch@9: 9.0.6,minimatch@10: 10.2.1) were themselves vulnerable to two additional CVEs (CVE-2026-27904, CVE-2026-27903). Updated to9.0.7and10.2.3respectively.@2: The previous unscoped"picomatch": "2.3.2"override was downgrading picomatch 4.x to 2.x for all consumers (vite, vitest, @angular/build, @angular-devkit/core, tinyglobby, @parcel/watcher). Changed to"picomatch@2": "2.3.2"so only the vulnerable 2.x instances (via micromatch) are overridden. Verified that picomatch 4.0.3 is preserved for build toolchain packages.snyk testconfirms 0 HIGH severity vulnerabilities remaining. Only 1 LOW severity issue remains (@angular/compilerXSS, unrelated).Review & Testing Checklist for Human
bun.lock+"setup": "bun install"). The newpackage-lock.jsoncreates a second lockfile. Verify that CI and contributors won't be confused by competing lockfiles, and note that npm overrides do not apply when usingbun install.--legacy-peer-depswas required: Peer dependency conflicts existed during resolution. Runnpm install(without--legacy-peer-deps) andng buildto verify the dependency tree is valid and the app builds cleanly.npm run buildandnpm run testto verify nothing is broken by the version changes.Recommended test plan
npm ci && npm run build— confirm the app compiles with the new lockfilenpm run test— unit tests passnpm run start— app serves without runtime errorssnyk test— re-verify 0 HIGH vulnerabilities (already confirmed by automated re-scan but worth a manual check)Notes
"minimatch@3": "3.1.3","picomatch@2": "2.3.2") which is safe — they stay within semver range and do not affect unrelated major versions.@rx-angular/cdkorng-morphupstream to pull in fixed transitive versions, avoiding overrides entirely.Link to Devin session: https://app.devin.ai/sessions/93ff86a08bb44f80aae6541f4147a54d
Requested by: @SachetCognition