Bump picomatch from 2.2.2 to 2.3.2

[dependabot]

Bumps picomatch from 2.2.2 to 2.3.2.

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

2.3.1

Fixed

• Fixes bug when a pattern containing an expression after the closing parenthesis (/!(*.d).{ts,tsx}) was incorrectly converted to regexp (9f241ef).

Changed

• Some documentation improvements (f81d236, 421e0e7).

2.2.3

Fixed

• Do not skip pattern seperator for square brackets (fb08a30).
• Set negatedExtGlob also if it does not span the whole pattern (032e3f5).

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• 5467a5a 2.3.1
• 9f241ef Merge pull request #102 from micromatch/ISSUE-93_incorrect_extglob_expanding
• ac3cb66 fix: support stars in negation extglobs with expression after closing parenth...
• 719d348 Merge pull request #85 from XhmikosR/codeql
• ac74e57 Merge pull request #91 from XhmikosR/patch-1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by danez, a new releaser for picomatch since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dg-appsec-cxone]

Checkmarx One – Scan Summary & Details – fdd4c204-1590-466e-904b-bf56bd616752

---

New Issues (27)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2025-66418	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2025-66471	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-0775	Npm-npm-6.14.9	details Recommended version: 10.9.5 Description: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges ... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
4		CVE-2026-21441	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-23745	Npm-tar-4.4.13	details Recommended version: 7.5.11 Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
6		CVE-2026-24842	Npm-tar-4.4.13	details Recommended version: 7.5.11 Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-26960	Npm-tar-4.4.13	details Recommended version: 7.5.11 Description: "tar.extract()" in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outsid... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
8		CVE-2026-26996	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2026-27903	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2026-27904	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2026-27959	Npm-koa-2.13.0	details Recommended version: 2.16.4 Description: Koa is middleware for Node.js using ES2017 async functions. Prior to versions 2.16.4 and 3.x prior to 3.1.2, Koa's `ctx.hostname` API performs naiv... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		CVE-2026-29786	Npm-tar-4.4.13	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extractio... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
13		CVE-2026-31802	Npm-tar-4.4.13	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extr... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
14		CVE-2026-32141	Npm-flatted-2.0.2	details Recommended version: 3.4.2 Description: flatted is a circular JSON parser. Prior to 3.4.0, flatted's "parse()" function uses a recursive "revive()" phase to resolve circular references in... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
15		CVE-2026-33228	Npm-flatted-2.0.2	details Recommended version: 3.4.2 Description: The "parse()" function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16		CVE-2026-4926	Npm-path-to-regexp-1.8.0	details Recommended version: 8.4.0 Description: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as "{a}{b}{c}:z". The genera... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17		Cxf5fb15b0-6576	Npm-serialize-javascript-3.1.0	details Recommended version: 7.0.3 Description: serialize-javascript through 7.0.2 contains a code injection vulnerability due to improper escaping of "RegExp.flags" during serialization. Althoug... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
18		CVE-2025-13465	Npm-lodash-4.17.19	details Recommended version: 4.17.23 Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		CVE-2025-14505	Npm-elliptic-6.5.4	details Description: The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
20		CVE-2025-15284	Npm-qs-6.5.2	details Recommended version: 6.5.4 Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		CVE-2025-64718	Npm-js-yaml-3.14.0	details Recommended version: 3.14.2 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22		CVE-2026-23950	Npm-tar-4.4.13	details Recommended version: 7.5.11 Description: node-tar,a Tar for Node.js, has a race condition vulnerability in versions through 7.5.3. This is due to an incomplete handling of Unicode path col... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
23		CVE-2026-2739	Npm-bn.js-4.12.0	details Recommended version: 4.12.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24		CVE-2026-2739	Npm-bn.js-4.11.9	details Recommended version: 4.12.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
25		CVE-2026-2739	Npm-bn.js-5.1.2	details Recommended version: 5.2.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
26		CVE-2025-69873	Npm-ajv-6.12.2	details Recommended version: 6.14.0 Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
27		CVE-2025-69873	Npm-ajv-6.12.6	details Recommended version: 6.14.0 Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR