From 213417a067aa5aeddcdf5ef7887f6cd969c56c88 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 6 Mar 2026 19:20:31 +0000
Subject: [PATCH] fix: upgrade minimatch to patch CVE-2026-27903 ReDoS
 vulnerability

Add pnpm override to force minimatch@<3.1.3 to resolve to 3.1.4,
which patches the combinatorial backtracking ReDoS in matchOne()
(GHSA-7r86-cg39-jmmj). The vulnerable 3.1.2 version was a transitive
dependency via @stoplight/spectral-core.

https://claude.ai/code/session_01SsMomKnukR5m2q7cC1pjJ6
---
 pnpm-lock.yaml      | 12 +++---------
 pnpm-workspace.yaml |  3 +++
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a954950f0..c814090e8 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -14,7 +14,7 @@ catalogs:
       version: 11.49.0
     '@carbon/react':
       specifier: ^1.101.0
-      version: 1.101.0
+      version: 1.102.0
     '@carbon/styles':
       specifier: ^1.100.0
       version: 1.101.0
@@ -78,6 +78,7 @@ catalogs:
 
 overrides:
   path-to-regexp@<0.1.10: 0.1.10
+  minimatch@<3.1.3: 3.1.4
 
 importers:
 
@@ -6977,9 +6978,6 @@ packages:
     resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==}
     engines: {node: 18 || 20 || >=22}
 
-  minimatch@3.1.2:
-    resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==}
-
   minimatch@3.1.4:
     resolution: {integrity: sha512-twmL+S8+7yIsE9wsqgzU3E8/LumN3M3QELrBZ20OdmQ9jB2JvW5oZtBEmft84k/Gs5CG9mqtWc6Y9vW+JEzGxw==}
 
@@ -12968,7 +12966,7 @@ snapshots:
       jsonpath-plus: 10.4.0
       lodash: 4.17.23
       lodash.topath: 4.5.2
-      minimatch: 3.1.2
+      minimatch: 3.1.4
       nimma: 0.2.3
       pony-cause: 1.1.1
       simple-eval: 1.0.1
@@ -17288,10 +17286,6 @@ snapshots:
     dependencies:
       brace-expansion: 5.0.3
 
-  minimatch@3.1.2:
-    dependencies:
-      brace-expansion: 1.1.12
-
   minimatch@3.1.4:
     dependencies:
       brace-expansion: 1.1.12
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 1beea98ce..da58e8f77 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -2,6 +2,9 @@ overrides:
   # Fix CVE-2024-45296 / GHSA-9wv6-86v2-598j: path-to-regexp ReDoS vulnerability
   # Transitive via mintlify -> @mintlify/previewing -> express@4.18.2
   "path-to-regexp@<0.1.10": "0.1.10"
+  # Fix CVE-2026-27903 / GHSA-7r86-cg39-jmmj: minimatch ReDoS vulnerability
+  # Transitive via @stoplight/spectral-core
+  "minimatch@<3.1.3": "3.1.4"
 
 packages:
   - apps/agentstack-ui