fix: upgrade picomatch to 4.0.4, 3.0.2, 2.3.2 (CVE-2026-33671)#114940
fix: upgrade picomatch to 4.0.4, 3.0.2, 2.3.2 (CVE-2026-33671)#114940orbisai0security wants to merge 1 commit intogetsentry:masterfrom
Conversation
Automated dependency upgrade by Orbis Security AI
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 802e509. Configure here.
| "json-diff": "^0.7.1", | ||
| "json-refs": "^3.0.15", | ||
| "openapi-examples-validator": "^6.0.2", | ||
| "picomatch": "2.3.2", |
There was a problem hiding this comment.
Phantom direct dependency instead of pnpm override
Low Severity
picomatch is added as a direct production dependency, but no source file in api-docs actually imports or requires it — it's only a transitive dependency of anymatch and micromatch. The project already has a pnpm.overrides section used for exactly this purpose (e.g., lodash, form-data). Adding it to dependencies instead of pnpm.overrides is misleading and inconsistent with the existing pattern, and risks someone later removing it as "unused."
Reviewed by Cursor Bugbot for commit 802e509. Configure here.
1 participant
Summary
Upgrade picomatch from 2.3.1 to 4.0.4, 3.0.2, 2.3.2 to fix CVE-2026-33671.
Vulnerability
CVE-2026-33671api-docs/pnpm-lock.yamlDescription: picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
Changes
api-docs/package.jsonapi-docs/pnpm-lock.yamlVerification
Automated security fix by OrbisAI Security