Skip to content

fix: update picomatch to resolve CVE-2026-33672#37

Open
liliwilson wants to merge 1 commit into
mainfrom
independabot/picomatch-cve-2026-33672
Open

fix: update picomatch to resolve CVE-2026-33672#37
liliwilson wants to merge 1 commit into
mainfrom
independabot/picomatch-cve-2026-33672

Conversation

@liliwilson

@liliwilson liliwilson commented Jun 22, 2026

Copy link
Copy Markdown

Summary

Adds a forced override for picomatch to >=2.3.2 (resolved: 4.0.4) to fix CVE-2026-33672 / GHSA-3v7f-55p6-f55p.

Dependabot alert: https://github.com/warpdotdev/oz-sdk-typescript/security/dependabot/9

What changed

  • Added "picomatch": ">=2.3.2" to overrides, pnpm.overrides, and resolutions in package.json
  • Lockfile updated: picomatch bumped from 2.3.14.0.4

Verification

  • pnpm audit: picomatch advisory (GHSA-3v7f-55p6-f55p) no longer appears
  • All tests pass (329 passed, 9 test suites)

Conversation: https://staging.warp.dev/conversation/9e8ead20-bdc4-4b51-bd5f-6d7a46b03cac
Run: https://oz.staging.warp.dev/runs/019eef6c-8fe9-7df4-9159-d91bb9706576

This PR was generated with Oz.

@oz-agent
fix: update picomatch to resolve CVE-2026-33672
3757dba 
Add pnpm.overrides, overrides, and resolutions for picomatch>=2.3.2 to
force the transitive dependency to a patched version. Resolves
Dependabot alert #9 (GHSA-3v7f-55p6-f55p).

Co-Authored-By: Oz <oz-agent@warp.dev>
@liliwilson liliwilson requested a review from ianhodge June 22, 2026 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianhodge ianhodge Awaiting requested review from ianhodge

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liliwilson @oz-agent