fix(deps): patch picomatch ReDoS and handlebars injection vulnerabilities

[fro-bot]

Summary

Security advisories addressed in this PR:

GHSA-c2c7-rcm5-vvqj (picomatch) — HIGH, CVSS 7.5

ReDoS via extglob quantifiers in picomatch. Two affected versions:

• picomatch@2.3.1 (transitive via micromatch→fast-glob) → patched to 2.3.2
• picomatch@4.0.3 (transitive via tinyglobby→fdir) → patched to 4.0.4

GHSA-2w6w-674q-4c4q (handlebars) — CRITICAL, CVSS 9.8

JavaScript injection via AST type confusion. All versions >=4.0.0 <=4.7.8 patched to 4.7.9.

handlebars is a transitive dependency of:

• @octokit/types
• conventional-changelog-writer
• eta
• highlight.js

Fix

Uses pnpm overrides at the root level to enforce minimum patched versions. This approach is:

• Minimal: Only adds version constraints, no package version changes
• Reversible: Single file change to remove
• Scoped: Targets specific vulnerability ranges only

Testing

• pnpm validate passes (type-check, lint, test, build, type-coverage)
• All 3383 tests pass

[fro-bot]

Security Remediation

Advisory: GHSA-c2c7-rcm5-vvqj — picomatch ReDoS via extglob quantifiers (HIGH, CVSS 7.5)

Vulnerable versions present:

• picomatch@2.3.1 — transitive via micromatch@4.0.8 → fast-glob@3.3.3
• picomatch@4.0.3 — transitive via tinyglobby@0.2.15 → fdir@6.5.0

Fix: pnpm overrides in root package.json enforce minimum patched versions:

• picomatch@>=2.3.2 (via micromatch chain)
• picomatch@>=4.0.4 (via tinyglobby chain)

Verified: pnpm install resolves picomatch@2.3.2 and picomatch@4.0.4. All 3383 tests pass.

---

Run Summary

Field	Value
Event	schedule
Repository	bfra-me/works
Run ID	23578827011
Session	ses_2d7698573ffeaYluHD4jSnTddD

[fro-bot]

Autoheal Update (2026-03-28)

This PR was updated to include an additional security fix. CI checks re-running on the amended commit.

Additional advisory addressed:

• GHSA-2w6w-674q-4c4q (handlebars) — CRITICAL, CVSS 9.8: JavaScript injection via AST type confusion (GHSA-2w6w-674q-4c4q). All handlebars versions >=4.0.0 <=4.7.8 are patched to 4.7.9. This is a transitive dependency pulled in by @octokit/types, conventional-changelog-writer, eta, and highlight.js.

Added a pnpm override for handlebars alongside the existing picomatch overrides. Both are security-only fixes — no other dependency changes.

CI validation passes: type-check ✅, lint ✅, test ✅ (3383 passed), build ✅.

[marcusrbrown]

@fro-bot resolve conflicts and add any other patches if needed

[fro-bot]

Resolved merge conflicts by rebasing onto latest main and regenerating the lock file cleanly.

Changes kept:

• +7 lines: pnpm overrides for security fixes
• (GHSA-2w6w-674q-4c4q)
• (GHSA-c2c7-rcm5-vvqj)
• (GHSA-c2c7-rcm5-vvqj)
• regenerated with security overrides applied

Verification:

• ✅ 3383 tests passed
• ✅ Type-check passed
• ✅ Lint passed
• ✅ Merge conflicts resolved

Note: No additional security patches identified at this time. The pnpm overrides enforce minimum patched versions for the addressed vulnerabilities.

---

Run Summary

Field	Value
Event	issue_comment
Repository	bfra-me/works
Run ID	23996142659
Cache	miss
Session	ses_2a39f9cbaffelLcGDg6piRFmg1