fix(deps): patch picomatch to >= 4.0.4 (CVE-2026-33671)

[tobyhede]

Summary

Patches picomatch ReDoS vulnerability via pnpm overrides:

• CIP-2936 (High): picomatch 4.0.2/4.0.3 → >=4.0.4, <2.3.2 → >=2.3.2 — CVE-2026-33671

Changes

• Added pnpm overrides for picomatch@^4 (>=4.0.4) and picomatch@^2 (>=2.3.2)
• Regenerated pnpm-lock.yaml

Test plan

• pnpm why picomatch shows 4.0.4, no 4.0.2 or 4.0.3
• CI passes

Refs: CIP-2936

Summary by CodeRabbit

• Chores
  • Updated package dependency override configurations to enforce minimum version constraints.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0afbc46

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 18aa89ae-5b55-465e-9d48-81fbe5e852ae

📥 Commits

Reviewing files that changed from the base of the PR and between 93ea280 and 0afbc46.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

Updated pnpm.overrides configuration in package.json to add version constraints for picomatch, specifying minimum versions >=4.0.4 for picomatch@^4 and >=2.3.2 for picomatch@^2. No other dependencies or package configuration modified.

Changes

Cohort / File(s)	Summary
Dependency Overrides package.json	Added two pnpm.overrides entries for picomatch with minimum version constraints to ensure stable versions across different major version ranges.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• coderdan
• yujiyokoo

Poem

🐰 Hops with glee, a version tale I share,
Picomatch pinned with utmost care,
Four-point-oh-four, two-point-three align,
Dependencies bundled, so perfectly fine! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: patching picomatch dependencies to fix a specific CVE vulnerability. It is concise, clear, and directly reflects the changeset's primary purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cip-2936-picomatch-patch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}