From da773058d76e68105ce28240ae53f0a84d61de51 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Thu, 26 Mar 2026 15:13:26 +0100
Subject: [PATCH] chore(deps): bump picomatch to fix ReDoS and method injection
 vulnerabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Uses scoped yarn resolutions to patch picomatch:
- 3.x: 3.0.1 → 3.0.2 (fixes alerts #470, #471)
- 4.x: 4.0.3 → 4.0.4 (fixes alerts #474, #475)

All dev-only dependencies.

https://github.com/getsentry/sentry-react-native/security/dependabot/470
https://github.com/getsentry/sentry-react-native/security/dependabot/471
https://github.com/getsentry/sentry-react-native/security/dependabot/474
https://github.com/getsentry/sentry-react-native/security/dependabot/475

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json |  7 ++++++-
 yarn.lock    | 16 ++++++++--------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/package.json b/package.json
index 5943099188..08ff4b77ff 100644
--- a/package.json
+++ b/package.json
@@ -122,7 +122,12 @@
     "on-headers": "^1.1.0",
     "diff": "^5.2.2",
     "tar": "^7.5.11",
-    "tmp": "^0.2.4"
+    "tmp": "^0.2.4",
+    "@expo/cli@npm:0.24.11/picomatch": "^3.0.2",
+    "@expo/cli@npm:55.0.15/picomatch": "^4.0.4",
+    "@expo/metro-config@npm:55.0.9/picomatch": "^4.0.4",
+    "npm-run-all2@npm:8.0.4/picomatch": "^4.0.4",
+    "tinyglobby@npm:0.2.15/picomatch": "^4.0.4"
   },
   "version": "0.0.0",
   "name": "sentry-react-native",
diff --git a/yarn.lock b/yarn.lock
index 587b933930..ffbda0f1ef 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -28252,17 +28252,17 @@ __metadata:
   languageName: node
   linkType: hard
 
-"picomatch@npm:^3.0.1":
-  version: 3.0.1
-  resolution: "picomatch@npm:3.0.1"
-  checksum: b7fe18174bcc05bbf0ea09cc85623ae395676b3e6bc25636d4c20db79a948586237e429905453bf1ba385bc7a7aa5b56f1b351680e650d2b5c305ceb98dfc914
+"picomatch@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "picomatch@npm:3.0.2"
+  checksum: 6804ba293d0158709880ff3ffbf4504d8768cac4a2dfb070bbc81f9cfa4a866acc9eada8cb4e219d0121f45c3af6f9543c6f0fa770e8fc9523cea87f14b3d741
   languageName: node
   linkType: hard
 
-"picomatch@npm:^4.0.2, picomatch@npm:^4.0.3":
-  version: 4.0.3
-  resolution: "picomatch@npm:4.0.3"
-  checksum: 6817fb74eb745a71445debe1029768de55fd59a42b75606f478ee1d0dc1aa6e78b711d041a7c9d5550e042642029b7f373dc1a43b224c4b7f12d23436735dba0
+"picomatch@npm:^4.0.4":
+  version: 4.0.4
+  resolution: "picomatch@npm:4.0.4"
+  checksum: 76b387b5157951422fa6049a96bdd1695e39dd126cd99df34d343638dc5cdb8bcdc83fff288c23eddcf7c26657c35e3173d4d5f488c4f28b889b314472e0a662
   languageName: node
   linkType: hard