From 096db437da843638f9ee9b1892e0c592b0afc14f Mon Sep 17 00:00:00 2001
From: Barcode Betty <noreply@cartsnitch.com>
Date: Mon, 30 Mar 2026 20:15:50 +0000
Subject: [PATCH] fix(deps): force picomatch to 4.0.4 to patch high-severity
 ReDoS

Adds picomatch@^4.0.4 as a direct dependency to override the vulnerable
4.0.3 pinned in transitive deps (vitest). Resolves 2 high-severity CVEs.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 package-lock.json | 2 +-
 package.json      | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index 06d623d..f0b6ddd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,6 +10,7 @@
       "dependencies": {
         "@tanstack/react-query": "^5.0.0",
         "better-auth": "^1.2.0",
+        "picomatch": "4.0.4",
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "react-router-dom": "^7.0.0",
@@ -7749,7 +7750,6 @@
       "version": "4.0.4",
       "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
       "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
-      "devOptional": true,
       "license": "MIT",
       "engines": {
         "node": ">=12"
diff --git a/package.json b/package.json
index 67e3891..4513dcb 100644
--- a/package.json
+++ b/package.json
@@ -14,6 +14,7 @@
   "dependencies": {
     "@tanstack/react-query": "^5.0.0",
     "better-auth": "^1.2.0",
+    "picomatch": "4.0.4",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router-dom": "^7.0.0",