fix(core): upgrade serve handler min version to for upgrade users to a secure version

[BearAlliance]

This PR resolves security vulnerabilities in the minimatch dependency.
This is a non-breaking change.

See vercel/serve-handler#228 for details on the security vulnerabilities that were fixed.

Note: minimatch@3.0.5 — pinned exact version, required by @lerna/* and nx. Can't be changed without modifying those packages' dependency declarations. That's a separate concern though.

Pre-flight checklist

• I have read the Contributing Guidelines on pull requests.
• If this is a code change: I have written unit tests and/or added dogfooding pages to fully verify the new behavior.
• If this is a new API or substantial change: the PR has an accompanying issue (closes #0000) and the maintainers have approved on my working plan.

Motivation

Resolving security vulnerabilities in transitive dependency.

Test Plan

Existing tests should be sufficient.

Test links

Deploy preview: https://deploy-preview-_____--docusaurus-2.netlify.app/

Related issues/PRs

None in this project that I could find.

• Fix in serve-handler: fix: update minimatch to 3.1.5 to resolve security vulnerabilities vercel/serve-handler#228
• Fix in minimatch: isaacs/minimatch@1a9c27c

[meta-cla]

Hi @BearAlliance!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	serve-handler@​6.1.6 ⏵ 6.1.7

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[netlify]

✅ [V2]

Built without sensitive environment variables

Name	Link
🔨 Latest commit	bf41a0b
🔍 Latest deploy log	https://app.netlify.com/projects/docusaurus-2/deploys/69c29fc8aae4af000854bf05
😎 Deploy Preview	https://deploy-preview-11833--docusaurus-2.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[meta-cla]

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

[meta-cla]

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

[slorber]

LGTM

(the CI error is unrelated, it's due to TS 6.0 being released)

[slorber]

agree to do this change, however we are using a ^ range so technically users can already update their lockfile and get the newer version

[BearAlliance]

Agree. Doing it here alleviates users from having to understand the transitive dependent relationship. In my case, it prevents me from having to add overrides to several repos using the package.

[slorber]

thanks!