release(cp): chore: fix newly reported dependency audit vulnerabilities by updating minimatch-related deps (#40315)

Author: davidmurdoch

.eslintrc.js

@@ -588,7 +588,7 @@ module.exports = {
       files: ['development/**/*.js', 'test/helpers/setup-helper.js'],
       rules: {
         'n/no-process-exit': 'off',
-        'n/shebang': 'off',
+        'n/hashbang': 'off',
       },
     },
     /**

.eslintrc.node.js

@@ -2,6 +2,16 @@ module.exports = {
   extends: ['@metamask/eslint-config-nodejs'],
   rules: {
     'n/no-process-env': 'off',
+    // eslint-plugin-n@17 started treating these browser globals as Node builtins
+    // and `n/hashbang` started flagging existing script headers in this repo.
+    // Keep prior behavior while we remain on the current shared config stack.
+    'n/no-unsupported-features/node-builtins': [
+      'error',
+      {
+        ignores: ['navigator', 'Navigator', 'localStorage'],
+      },
+    ],
+    'n/hashbang': 'off',
     // TODO: re-enable these rules
     'n/no-sync': 'off',
     'n/no-unpublished-import': 'off',

.yarnrc.yml

@@ -26,29 +26,6 @@ npmAuditIgnoreAdvisories:
   # We are ignoring this on April 24, 2025 to unblock CI, we will follow with a proper fix or confirmation this does not affect our users
   - 1104001
 
-  # Issue: `glob` vulnerability, already fixed in the version we're using (v10.5.0) but the
-  # advisory range hasn't been updated yet.
-  # URL: https://github.com/advisories/GHSA-5j98-mcp5-4vw2
-  - 1109809
-
-  # Issue: `body-parser` denial of service vulnerability
-  # Seemingly only impacts v2.2.0, but we're on v1. The advisory range is overly wide.
-  # The attack vector also does not apply to how we use the package.
-  # URL: https://github.com/advisories/GHSA-wqch-xfxh-vrr4
-  - 1110857
-
-  # Issue: ajv has ReDoS when using `$data` option
-  # A lot of our linting tooling relies on old versions of ajv, which proves hard to deal with
-  # For now, we are ignoring this to unblock CI
-  # URL: https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
-  - 1113214
-
-  # Issue: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
-  # Only affects dev/build-time dependencies (eslint-plugin-n, glob) — not shipped to users.
-  # URL: https://github.com/advisories/GHSA-3ppc-4f35-3m26
-  - 1113371
-  - 1113459
-
   ### Package Deprecations:
 
   # React-tippy brings in popper.js and react-tippy has not been updated in
@@ -104,3 +81,5 @@ npmPreapprovedPackages:
   - 'lavamoat-node'
   - 'lavamoat'
   - 'extension-port-stream'
+  # Temporary bypass for recent minimatch security patch; remove once older than age gate.
+  - 'minimatch'

lavamoat/browserify/beta/policy.json

@@ -3877,7 +3877,7 @@
         "buffer>ieee754": true
       }
     },
-    "eslint-plugin-n>builtins": {
+    "@metamask/snaps-utils>validate-npm-package-name>builtins": {
       "packages": {
         "process": true,
         "semver": true
@@ -6433,7 +6433,7 @@
     },
     "@metamask/snaps-utils>validate-npm-package-name": {
       "packages": {
-        "eslint-plugin-n>builtins": true
+        "@metamask/snaps-utils>validate-npm-package-name>builtins": true
       }
     },
     "react-markdown>vfile>vfile-message": {

lavamoat/browserify/experimental/policy.json

@@ -3877,7 +3877,7 @@
         "buffer>ieee754": true
       }
     },
-    "eslint-plugin-n>builtins": {
+    "@metamask/snaps-utils>validate-npm-package-name>builtins": {
       "packages": {
         "process": true,
         "semver": true
@@ -6433,7 +6433,7 @@
     },
     "@metamask/snaps-utils>validate-npm-package-name": {
       "packages": {
-        "eslint-plugin-n>builtins": true
+        "@metamask/snaps-utils>validate-npm-package-name>builtins": true
       }
     },
     "react-markdown>vfile>vfile-message": {

lavamoat/browserify/flask/policy.json

@@ -3877,7 +3877,7 @@
         "buffer>ieee754": true
       }
     },
-    "eslint-plugin-n>builtins": {
+    "@metamask/snaps-utils>validate-npm-package-name>builtins": {
       "packages": {
         "process": true,
         "semver": true
@@ -6433,7 +6433,7 @@
     },
     "@metamask/snaps-utils>validate-npm-package-name": {
       "packages": {
-        "eslint-plugin-n>builtins": true
+        "@metamask/snaps-utils>validate-npm-package-name>builtins": true
       }
     },
     "react-markdown>vfile>vfile-message": {

lavamoat/browserify/main/policy.json

@@ -3877,7 +3877,7 @@
         "buffer>ieee754": true
       }
     },
-    "eslint-plugin-n>builtins": {
+    "@metamask/snaps-utils>validate-npm-package-name>builtins": {
       "packages": {
         "process": true,
         "semver": true
@@ -6433,7 +6433,7 @@
     },
     "@metamask/snaps-utils>validate-npm-package-name": {
       "packages": {
-        "eslint-plugin-n>builtins": true
+        "@metamask/snaps-utils>validate-npm-package-name>builtins": true
       }
     },
     "react-markdown>vfile>vfile-message": {

lavamoat/build-system/policy.json

@@ -1781,14 +1781,6 @@
         "Buffer": true
       }
     },
-    "eslint-plugin-n>builtins": {
-      "globals": {
-        "process.version": true
-      },
-      "packages": {
-        "semver": true
-      }
-    },
     "gulp>gulp-cli>matchdep>micromatch>snapdragon>base>cache-base": {
       "packages": {
         "gulp>gulp-cli>matchdep>micromatch>snapdragon>base>cache-base>collection-visit": true,
@@ -2526,6 +2518,30 @@
         "@metamask/object-multiplex>once": true
       }
     },
+    "webpack>enhanced-resolve": {
+      "builtin": {
+        "module.findPnpApi": true,
+        "path.basename": true,
+        "path.posix.dirname": true,
+        "path.posix.normalize": true,
+        "path.win32.dirname": true,
+        "path.win32.normalize": true,
+        "process.nextTick": true,
+        "process.versions.pnp": true,
+        "url": true
+      },
+      "globals": {
+        "Buffer.isBuffer": true,
+        "URL": true,
+        "clearTimeout": true,
+        "process.cwd": true,
+        "setTimeout": true
+      },
+      "packages": {
+        "del>graceful-fs": true,
+        "webpack>tapable": true
+      }
+    },
     "gulp-livereload>tiny-lr>body>error": {
       "builtin": {
         "assert": true
@@ -2708,6 +2724,17 @@
         "eslint>natural-compare": true
       }
     },
+    "eslint-plugin-n>eslint-plugin-es-x>eslint-compat-utils": {
+      "builtin": {
+        "fs.existsSync": true,
+        "path.basename": true,
+        "path.dirname": true,
+        "path.extname": true
+      },
+      "globals": {
+        "process.cwd": true
+      }
+    },
     "eslint-config-prettier": {
       "globals": {
         "process.env.ESLINT_CONFIG_PRETTIER_NO_DEPRECATED": true
@@ -2766,13 +2793,14 @@
         "eslint-import-resolver-node": true
       }
     },
-    "eslint-plugin-n>eslint-plugin-es": {
+    "eslint-plugin-n>eslint-plugin-es-x": {
       "globals": {
         "process": true
       },
       "packages": {
-        "eslint-plugin-n>eslint-plugin-es>eslint-utils": true,
-        "eslint-plugin-n>eslint-plugin-es>regexpp": true
+        "eslint>@eslint-community/eslint-utils": true,
+        "eslint>@eslint-community/regexpp": true,
+        "eslint-plugin-n>eslint-plugin-es-x>eslint-compat-utils": true
       }
     },
     "eslint-plugin-import": {
@@ -2839,29 +2867,34 @@
     },
     "eslint-plugin-n": {
       "builtin": {
-        "assert": true,
-        "fs": true,
-        "path": true,
-        "url.URL": true,
-        "url.fileURLToPath": true,
-        "url.pathToFileURL": true,
-        "util.format": true,
-        "util.inspect": true
+        "fs.existsSync": true,
+        "fs.readFileSync": true,
+        "fs.readdirSync": true,
+        "fs.statSync": true,
+        "node:module.isBuiltin": true,
+        "path.basename": true,
+        "path.dirname": true,
+        "path.extname": true,
+        "path.isAbsolute": true,
+        "path.join": true,
+        "path.posix.normalize": true,
+        "path.relative": true,
+        "path.resolve": true,
+        "path.sep": true
       },
       "globals": {
-        "process.cwd": true,
-        "process.emitWarning": true,
-        "process.platform": true
+        "process.cwd": true
       },
       "packages": {
-        "eslint-plugin-n>builtins": true,
-        "eslint-plugin-n>eslint-plugin-es": true,
-        "eslint-plugin-n>eslint-utils": true,
+        "eslint>@eslint-community/eslint-utils": true,
+        "webpack>enhanced-resolve": true,
+        "eslint-plugin-n>eslint-plugin-es-x": true,
+        "tsx>get-tsconfig": true,
+        "eslint-plugin-n>globals": true,
+        "eslint-plugin-n>globrex": true,
         "eslint>ignore": true,
-        "depcheck>is-core-module": true,
-        "eslint>minimatch": true,
-        "depcheck>resolve": true,
-        "semver": true
+        "semver": true,
+        "typescript": true
       }
     },
     "eslint-plugin-prettier": {
@@ -2940,21 +2973,11 @@
         "semver": true
       }
     },
-    "eslint-plugin-n>eslint-plugin-es>eslint-utils": {
-      "packages": {
-        "eslint-plugin-n>eslint-plugin-es>eslint-utils>eslint-visitor-keys": true
-      }
-    },
     "eslint-plugin-mocha>eslint-utils": {
       "packages": {
         "eslint-plugin-mocha>eslint-utils>eslint-visitor-keys": true
       }
     },
-    "eslint-plugin-n>eslint-utils": {
-      "packages": {
-        "eslint-plugin-n>eslint-utils>eslint-visitor-keys": true
-      }
-    },
     "eslint>espree": {
       "packages": {
         "eslint>espree>acorn-jsx": true,
@@ -3495,6 +3518,29 @@
         "pumpify>pump": true
       }
     },
+    "tsx>get-tsconfig": {
+      "builtin": {
+        "fs": true,
+        "node:fs": true,
+        "node:module": true,
+        "node:path.dirname": true,
+        "node:path.isAbsolute": true,
+        "node:path.join": true,
+        "node:path.posix": true,
+        "node:path.relative": true,
+        "node:path.resolve": true,
+        "os.tmpdir": true,
+        "path.join": true
+      },
+      "globals": {
+        "process.cwd": true,
+        "process.pid": true,
+        "process.platform": true
+      },
+      "packages": {
+        "tsx>get-tsconfig>resolve-pkg-maps": true
+      }
+    },
     "gulp-watch>anymatch>micromatch>parse-glob>glob-base": {
       "builtin": {
         "path.dirname": true
@@ -3600,6 +3646,11 @@
         "del>slash": true
       }
     },
+    "eslint-plugin-n>globrex": {
+      "globals": {
+        "process.platform": true
+      }
+    },
     "del>graceful-fs": {
       "builtin": {
         "assert.equal": true,
@@ -7204,6 +7255,11 @@
         "tailwindcss>sucrase": true
       }
     },
+    "webpack>tapable": {
+      "builtin": {
+        "util.deprecate": true
+      }
+    },
     "terser": {
       "globals": {
         "Buffer": true,

lavamoat/webpack/build/policy-override.json

@@ -12,6 +12,19 @@
       },
       "native": true
     },
+    "copy-webpack-plugin": {
+      "packages": {
+        "copy-webpack-plugin>serialize-javascript": true
+      }
+    },
+    "copy-webpack-plugin>serialize-javascript": {
+      "globals": {
+        "URL": true
+      },
+      "packages": {
+        "crypto-browserify>randombytes": true
+      }
+    },
     "@swc/core": {
       "packages": {
         "@swc/core>@swc/core-darwin-x64": true,

lavamoat/webpack/build/policy.json

@@ -1336,7 +1336,9 @@
       "builtin": {
         "module.findPnpApi": true,
         "path.basename": true,
+        "path.posix.dirname": true,
         "path.posix.normalize": true,
+        "path.win32.dirname": true,
         "path.win32.normalize": true,
         "process.nextTick": true,
         "process.versions.pnp": true,
@@ -1346,6 +1348,7 @@
         "Buffer.isBuffer": true,
         "URL": true,
         "clearTimeout": true,
+        "process.cwd": true,
         "setTimeout": true
       },
       "packages": {