release(cp): chore: fix newly reported dependency audit vulnerabilities by updating minimatch-related deps (#40315)

Author: davidmurdoch

.eslintrc.js

@@ -588,7 +588,7 @@ module.exports = {
       files: ['development/**/*.js', 'test/helpers/setup-helper.js'],
       rules: {
         'n/no-process-exit': 'off',
-        'n/shebang': 'off',
+        'n/hashbang': 'off',
       },
     },
     /**

.eslintrc.node.js

@@ -2,6 +2,16 @@ module.exports = {
   extends: ['@metamask/eslint-config-nodejs'],
   rules: {
     'n/no-process-env': 'off',
+    // eslint-plugin-n@17 started treating these browser globals as Node builtins
+    // and `n/hashbang` started flagging existing script headers in this repo.
+    // Keep prior behavior while we remain on the current shared config stack.
+    'n/no-unsupported-features/node-builtins': [
+      'error',
+      {
+        ignores: ['navigator', 'Navigator', 'localStorage'],
+      },
+    ],
+    'n/hashbang': 'off',
     // TODO: re-enable these rules
     'n/no-sync': 'off',
     'n/no-unpublished-import': 'off',

.yarnrc.yml

@@ -26,29 +26,6 @@ npmAuditIgnoreAdvisories:
   # We are ignoring this on April 24, 2025 to unblock CI, we will follow with a proper fix or confirmation this does not affect our users
   - 1104001
 
-  # Issue: `glob` vulnerability, already fixed in the version we're using (v10.5.0) but the
-  # advisory range hasn't been updated yet.
-  # URL: https://github.com/advisories/GHSA-5j98-mcp5-4vw2
-  - 1109809
-
-  # Issue: `body-parser` denial of service vulnerability
-  # Seemingly only impacts v2.2.0, but we're on v1. The advisory range is overly wide.
-  # The attack vector also does not apply to how we use the package.
-  # URL: https://github.com/advisories/GHSA-wqch-xfxh-vrr4
-  - 1110857
-
-  # Issue: ajv has ReDoS when using `$data` option
-  # A lot of our linting tooling relies on old versions of ajv, which proves hard to deal with
-  # For now, we are ignoring this to unblock CI
-  # URL: https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
-  - 1113214
-
-  # Issue: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
-  # Only affects dev/build-time dependencies (eslint-plugin-n, glob) — not shipped to users.
-  # URL: https://github.com/advisories/GHSA-3ppc-4f35-3m26
-  - 1113371
-  - 1113459
-
   ### Package Deprecations:
 
   # React-tippy brings in popper.js and react-tippy has not been updated in
@@ -104,3 +81,5 @@ npmPreapprovedPackages:
   - 'lavamoat-node'
   - 'lavamoat'
   - 'extension-port-stream'
+  # Temporary bypass for recent minimatch security patch; remove once older than age gate.
+  - 'minimatch'