fix: upgrade minimatch to ^10.2.1 to resolve ReDoS vulnerability

sjsyrek · claude · sjsyrek · commit 6de257978faf · 2026-02-19T10:54:41.000+01:00
Fixes GHSA-3ppc-4f35-3m26: minimatch <10.2.1 is vulnerable to ReDoS via repeated wildcards with non-matching literal in pattern. This was a production dependency causing the npm audit CI job to fail. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Security
+- Updated `minimatch` from `^9.0.5` to `^10.2.1` to fix ReDoS vulnerability (GHSA-3ppc-4f35-3m26)
+
 ## [1.0.0] - 2026-02-17
 
 ### Added
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -70,7 +70,7 @@
     "fast-glob": "^3.3.3",
     "form-data": "^4.0.4",
     "inquirer": "^13.0.0",
-    "minimatch": "^9.0.5",
+    "minimatch": "^10.2.1",
     "ora": "^9.0.0",
     "p-limit": "^7.0.0",
     "ws": "^8.19.0",
