This is an automated email from the ASF dual-hosted git repository.
thiagoelg pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-kie-tools.git
The following commit(s) were added to refs/heads/main by this push:
new faecc6cf9ed NO-ISSUE: update picomatch versions to address
CVE-2026-33671 and CVE-2026-3367 (#3611)
faecc6cf9ed is described below
commit faecc6cf9edf98c76d1d3ce3c74b7e7b5b3d41b8
Author: Adarsh vk <[email protected]>
AuthorDate: Tue Jun 9 21:47:13 2026 +0530
NO-ISSUE: update picomatch versions to address CVE-2026-33671 and
CVE-2026-3367 (#3611)
---
pnpm-lock.yaml | 42 ++++++++++++++++++++++--------------------
pnpm-workspace.yaml | 3 +++
2 files changed, 25 insertions(+), 20 deletions(-)
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a56a7decdb3..61818fcca0f 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -25,6 +25,8 @@ overrides:
minimatch@^4: 5.1.9
undici: ^6.24.0
uuid: ^11.1.1
+ picomatch@3: 3.0.2
+ picomatch@4: 4.0.4
packageExtensionsChecksum: sha256-oxPwESKKSHRelJQnCQTHzgtG1xkcQOHjfgjFdIfqMfg=
@@ -17131,7 +17133,7 @@ packages:
resolution: {integrity:
sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
engines: {node: '>=12.0.0'}
peerDependencies:
- picomatch: ^3 || ^4
+ picomatch: 3.0.2
peerDependenciesMeta:
picomatch:
optional: true
@@ -20355,12 +20357,12 @@ packages:
resolution: {integrity:
sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==}
engines: {node: '>=8.6'}
- [email protected]:
- resolution: {integrity:
sha512-I3EurrIQMlRc9IaAZnqRR044Phh2DXY+55o7uJ0V+hYZAcQYSuFWsc9q5PvyDHUSCe1Qxn/iBz+78s86zWnGag==}
+ [email protected]:
+ resolution: {integrity:
sha512-cfDHL6LStTEKlNilboNtobT/kEa30PtAf2Q1OgszfrG/rpVl1xaFWT9ktfkS306GmHgmnad1Sw4wabhlvFtsTw==}
engines: {node: '>=10'}
- [email protected]:
- resolution: {integrity:
sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==}
+ [email protected]:
+ resolution: {integrity:
sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==}
engines: {node: '>=12'}
[email protected]:
@@ -23889,7 +23891,7 @@ snapshots:
mini-css-extract-plugin:
2.9.4([email protected](@swc/[email protected])([email protected])([email protected]))
open: 10.2.0
ora: 8.2.0
- picomatch: 4.0.3
+ picomatch: 4.0.4
piscina: 5.1.3
postcss: 8.5.6
postcss-loader:
8.1.1([email protected])([email protected])([email protected](@swc/[email protected])([email protected])([email protected]))
@@ -23960,7 +23962,7 @@ snapshots:
ajv: 8.17.1
ajv-formats: 3.0.1([email protected])
jsonc-parser: 3.3.1
- picomatch: 4.0.3
+ picomatch: 4.0.4
rxjs: 7.8.2
source-map: 0.7.6
optionalDependencies:
@@ -23997,7 +23999,7 @@ snapshots:
magic-string: 0.30.17
mrmime: 2.0.1
parse5-html-rewriting-stream: 8.0.0
- picomatch: 4.0.3
+ picomatch: 4.0.4
piscina: 5.1.3
rollup: 4.52.3
sass: 1.90.0
@@ -27611,7 +27613,7 @@ snapshots:
detect-libc: 2.1.2
is-glob: 4.0.3
node-addon-api: 7.1.1
- picomatch: 4.0.3
+ picomatch: 4.0.4
optionalDependencies:
'@parcel/watcher-android-arm64': 2.5.6
'@parcel/watcher-darwin-arm64': 2.5.6
@@ -35764,9 +35766,9 @@ snapshots:
dependencies:
pend: 1.2.0
- [email protected]([email protected]):
+ [email protected]([email protected]):
optionalDependencies:
- picomatch: 4.0.3
+ picomatch: 4.0.4
[email protected]: {}
@@ -39648,9 +39650,9 @@ snapshots:
[email protected]: {}
- [email protected]: {}
+ [email protected]: {}
- [email protected]: {}
+ [email protected]: {}
[email protected]: {}
@@ -39984,7 +39986,7 @@ snapshots:
ignore: 5.3.1
mri: 1.2.0
picocolors: 1.1.1
- picomatch: 3.0.1
+ picomatch: 3.0.2
prettier: 3.3.2
tslib: 2.8.1
@@ -42203,13 +42205,13 @@ snapshots:
[email protected]:
dependencies:
- fdir: 6.5.0([email protected])
- picomatch: 4.0.3
+ fdir: 6.5.0([email protected])
+ picomatch: 4.0.4
[email protected]:
dependencies:
- fdir: 6.5.0([email protected])
- picomatch: 4.0.3
+ fdir: 6.5.0([email protected])
+ picomatch: 4.0.4
[email protected]:
dependencies:
@@ -42988,8 +42990,8 @@ snapshots:
[email protected](@types/[email protected])([email protected])([email protected])([email protected])([email protected])([email protected]):
dependencies:
esbuild: 0.25.9
- fdir: 6.5.0([email protected])
- picomatch: 4.0.3
+ fdir: 6.5.0([email protected])
+ picomatch: 4.0.4
postcss: 8.5.6
rollup: 4.57.1
tinyglobby: 0.2.15
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index c4aaf9e33fa..4c9a6b4a92f 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -29,3 +29,6 @@ overrides:
# CVE-2026-41907: Fix security vulnerability in uuid
# Transitive dependencies ([email protected], [email protected]) still use
[email protected]
"uuid": "^11.1.1"
+ # CVE-2026-33671 (High) / CVE-2026-33672 (Medium): picomatch POSIX bracket
method injection and ReDoS.
+ "picomatch@3": "3.0.2"
+ "picomatch@4": "4.0.4"
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
