Open
Conversation
Update transitive dependency picomatch from 2.3.1 to 2.3.2 across all affected lockfiles to resolve CVE-2026-33672 (method injection in POSIX character classes causing incorrect glob matching). Resolves #893 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
Contributor
Author
There was a problem hiding this comment.
Code Review: fix(deps): update picomatch (medium)
This PR correctly patches GHSA-3v7f-55p6-f55p by bumping picomatch from 2.3.1 → 2.3.2 across all affected lockfiles.
What looks correct
- All 4 lockfiles update
node_modules/picomatchto 2.3.2. - The semver ranges (
^2.3.1) in dependents already allow 2.3.2 — no manifest change needed. - The resolved URL and integrity hash (
sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==) are consistent across all 4 lockfiles. src/gen/is untouched.- No source files or manifests (
package.json) were modified. - The
examples/react-nativelockfile was already at picomatch 2.3.2 and was correctly left alone.
Incidental lockfile drift (not a blocker)
The example lockfiles were fully regenerated rather than surgically patched (which is normal npm install behavior). This pulled in two additional changes not mentioned in the PR description:
- SDK version references in example lockfiles updated from stale values (0.66.1 / 0.68.1) to the current release (0.68.2). This is correct — the lockfiles were behind.
flatted ^3.4.2appears in thedevDependenciesmetadata block for the parent package inexamples/nodeandexamples/teleop-reactlockfiles. Confirmed thatflattedwas already added to the rootpackage.json(line 80), so this is the lockfiles catching up to the current manifest.
These changes are all correct and benign — they reflect the true current state of the package. The PR description could be more precise ("lockfile regeneration picked up additional drift"), but this is documentation-only and not a code issue.
Verdict
The security fix is correct and complete. No issues requiring changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
picomatchfrom 2.3.1 to 2.3.2 to resolve GHSA-3v7f-55p6-f55p (CVE-2026-33672, medium severity)picomatchis a transitive dependency and existing semver ranges already allow 2.3.2Lockfiles modified
package-lock.jsonexamples/connect-app-teleop-react/package-lock.jsonexamples/node/package-lock.jsonexamples/teleop-react/package-lock.jsonAdvisories resolved
Unresolved alerts
None — all alerts resolved.
Resolves #893
🤖 Generated with Claude Code