Bump picomatch from 2.3.1 to 2.3.2 in /scripts#1065
Bump picomatch from 2.3.1 to 2.3.2 in /scripts#1065dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Slinky Test ReportLast Run: 2026-03-25 22:35:43 CST (Duration: 39.009s)
Failures by URL
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot security bump with correct version, integrity hash, and license field.
Extended reasoning...
Overview
This PR modifies a single file (scripts/package-lock.json), bumping picomatch from 2.3.1 to 2.3.2. The diff is minimal: version string, resolved URL, integrity hash, and an added license field — all mechanically generated by Dependabot.
Security risks
The update addresses CVE-2026-33671 and CVE-2026-33672 in picomatch. The only flagged issue is a pre-existing condition where the root package-lock.json still pins picomatch 2.3.1; this is outside the scope of this PR and requires a separate Dependabot PR for the root package. No new security risks are introduced.
Level of scrutiny
This is a Dependabot-generated lockfile update scoped to a subdirectory (/scripts). No logic changes, no API surface changes, no new dependencies. The correct level of scrutiny is low — this is a routine security patch on a dev dependency.
Other factors
No prior reviews exist on this PR. The one bug flagged is explicitly pre-existing and unrelated to the changes here. The PR is correct within its stated scope and safe to merge.
| } | ||
| }, | ||
| "node_modules/picomatch": { | ||
| "version": "2.3.1", | ||
| "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", | ||
| "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", | ||
| "version": "2.3.2", | ||
| "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", | ||
| "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", | ||
| "dev": true, | ||
| "license": "MIT", | ||
| "engines": { | ||
| "node": ">=8.6" | ||
| }, |
There was a problem hiding this comment.
🟣 This is a pre-existing issue: the root-level package-lock.json (at the repo root, not in /scripts) still locks node_modules/picomatch to the vulnerable version 2.3.1 (integrity sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==). This PR is correct for its stated scope (/scripts), but a separate Dependabot PR or manual update is needed to bump picomatch in the root package-lock.json and fully remediate CVE-2026-33671 and CVE-2026-33672 across the entire repo.
Extended reasoning...
Analysis
This PR correctly updates scripts/package-lock.json to resolve picomatch from 2.3.2 instead of the vulnerable 2.3.1. Dependabot scopes its PRs per package directory, so this PR only touches /scripts/package-lock.json, which is expected behavior.
However, the repo has a second, independent package-lock.json at the repository root (/package-lock.json). Examination of that file confirms node_modules/picomatch is still pinned to version 2.3.1 with the vulnerable integrity hash sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==.
Why existing code does not prevent this
Dependabot treats each package.json/package-lock.json pair in its own directory as an independent project. This PR was generated specifically for the /scripts subdirectory. The root-level lockfile is a separate project that requires its own Dependabot alert and PR. Nothing in this PR modifies or revalidates the root lockfile.
Impact
Any developer (or CI pipeline) running npm ci or npm install from the repository root will continue to install the vulnerable picomatch 2.3.1. Both CVE-2026-33671 and CVE-2026-33672 remain exploitable in the root project. Merging this PR alone may create a false sense that the CVEs are fully remediated when they are not.
Step-by-step proof
- Developer clones the repo after this PR merges.
- They run npm ci from the repo root (not from /scripts).
- npm reads /package-lock.json, which specifies node_modules/picomatch at version 2.3.1 with the old integrity hash.
- npm downloads and installs picomatch 2.3.1, the version vulnerable to CVE-2026-33671 and CVE-2026-33672.
- The /scripts subdirectory lockfile is unaffected by this root-level install.
Pre-existing classification
This issue is pre-existing and entirely unrelated to the changes in this PR. The PR does not introduce, worsen, or interact with the root lockfile in any way. A separate Dependabot PR targeting the root package.json (or a manual npm update picomatch from the root followed by committing the updated package-lock.json) is the correct remediation path. One verifier noted bug_002 is a duplicate of bug_001 tracking the same issue, which is correct—they both describe the same missing root-level fix.
Bumps picomatch from 2.3.1 to 2.3.2.
Release notes
Sourced from picomatch's releases.
Changelog
Sourced from picomatch's changelog.
... (truncated)
Commits
81cba8dPublish 2.3.2fc1f6b6Merge commit from forkeec17aeMerge commit from fork78f8ca4Merge pull request #156 from micromatch/backport-1443f4f10eMerge pull request #144 from Jason3S/jdent-object-propertiesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.