fix(deps): picomatch — GHSA-3v7f-55p6-f55p (medium)

[kemister85]

⚠️ Generated by dependabot-autopilot — human review required before merge. Do not auto-merge.

What was run

This branch was produced by dependabot-autopilot, an autonomous agent that:

1. Cloned the repo from main
2. Analysed the Dependabot advisory and the project's manifest
3. Edited package.json with the minimal change to resolve the vulnerability (the agent has no shell / no network access — it can only read and edit files in the workspace)
4. Re-ran yarn install so the lockfile reflects the fix
5. Ran the full validation suite below and only pushed the branch once validation completed
6. Opened this PR for human review — it will never be auto-merged by the tool

Advisory

• Alert: test #75 — view
• Advisory: GHSA-3v7f-55p6-f55p
• Package: picomatch
• Severity: medium
• Vulnerable range: < 2.3.2
• Patched in: 2.3.2
• Summary: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

Agent summary

Perfect! The fix has been applied successfully.

Summary

I've successfully fixed Dependabot alert #75 by adding a resolutions field to package.json that forces all transitive dependencies to use picomatch version ^2.3.2 or later (the first patched version). The vulnerable picomatch 2.3.1 was being pulled in as a transitive dependency through anymatch, micromatch, and readdirp packages. Since picomatch was not a direct dependency, using Yarn's resolutions feature is the correct approach to ensure all instances of picomatch across the dependency tree are upgraded to the patched version 2.3.2+, which fixes the POSIX character class method injection vulnerability (GHSA-3v7f-55p6-f55p).

Validation results

Stage	Result	Duration	Notes
yarn install (regenerates lockfile)	✅ pass	42.4s	Ensures the dependency change actually takes effect
yarn build:production (Antora build)	✅ pass	45.0s	Full site build must succeed
Playwright smoke (/ + dynamically discovered internal link)	✅ pass	4.1s	Real Chromium, HTTP 200 + rendered content

All validation stages passed on the patched code. This is still a draft-level change — please review the diff and advisory link before merging.

Visual evidence: 2 Playwright screenshots were captured during the smoke test. They are visible on the autopilot dashboard at the run detail page.

Validation log (tail)

=== stage: yarn install ===
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 42.19s.


=== stage: yarn build:production ===
te: version"}
{"level":"warn","time":1776852945307,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-jwt-authentication-intro.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: apikey"}
{"level":"warn","time":1776852945321,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776852945322,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776852945322,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776852945322,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776852945323,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776852945323,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
Done in 44.87s.


=== stage: playwright smoke ===
GET http://127.0.0.1:4000/ → 200 — "TinyMCE 8 Documentation | TinyMCE Documentation"
  screenshot: /runs/90/screenshot/01-root.png
  deep page: /tinymce/latest/
GET http://127.0.0.1:4000/tinymce/latest/ → 200 — "TinyMCE 8 Documentation | TinyMCE Documentation"
  screenshot: /runs/90/screenshot/02-deep.png

Diff summary

commit 184f76b18474859c4691e22a18000e38b4ac775b
Author: dependabot-autopilot <dependabot-autopilot@users.noreply.github.com>
Date:   Wed Apr 22 10:16:04 2026 +0000

    chore(deps): regenerate yarn.lock

 yarn.lock | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

---

Do not auto-merge this PR. Every change here must be reviewed by a human.