chore: update minimatch

[briantstephan]

This recursively updates minimatch so all downstream dependencies are using secure versions.

https://nvd.nist.gov/vuln/detail/CVE-2026-27903

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b8c39d5b-44ad-4619-a180-8fd4e6101042

📥 Commits

Reviewing files that changed from the base of the PR and between bafeea9 and 46b0e05.

📒 Files selected for processing (1)

• THIRD-PARTY-NOTICES

✅ Files skipped from review due to trivial changes (1)

• THIRD-PARTY-NOTICES

---

Walkthrough

This PR updates two development dependency versions in packages/pages/package.json: @microsoft/api-extractor from ^7.47.11 to ^7.57.7 and minimatch from ^10.2.3 to ^10.2.5. It also updates THIRD-PARTY-NOTICES entries for brace-expansion (2.0.1 → 2.1.1) and minimatch (9.0.5 → 9.0.9). No other manifest properties or public signatures were changed.

Possibly related PRs

• yext/pages#606: Both PRs update the minimatch devDependency in packages/pages/package.json.
• yext/pages#604: Both PRs update the minimatch devDependency in packages/pages/package.json and modify the same THIRD-PARTY-NOTICES entries.

Suggested reviewers

• mkilpatrick
• benlife5
• asanehisa
• jwartofsky-yext

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: update minimatch' directly corresponds to the main change in the PR, which is updating the minimatch dependency across the codebase.
Description check	✅ Passed	The description clearly relates to the changeset by explaining the purpose of updating minimatch for security reasons and references a specific CVE.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-minimatch-recursive

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/pages/package.json (1)

87-103: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Ensure pnpm resolves “recursive” minimatch remediation to only secure versions

• packages/pages/package.json bumps minimatch to ^10.2.5, but the repo root has no pnpm.overrides.
• pnpm-lock.yaml still contains a resolved minimatch@9.0.9, so the objective (“all downstream dependencies are using secure versions”) isn’t fully achieved by this manifest-only change.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/pages/package.json` around lines 87 - 103, The package.json bump of
minimatch in packages/pages (minimatch ^10.2.5) didn’t propagate because
pnpm-lock.yaml still resolves minimatch@9.0.9; add a pnpm.overrides entry at the
repo root (override minimatch to ^10.2.5 or >=10.2.5) and then run a fresh pnpm
install to regenerate pnpm-lock.yaml so all downstream dependencies are pinned
to the secure minimatch version; reference the minimatch dependency, the
packages/pages/package.json change, the pnpm.overrides file, and the
pnpm-lock.yaml when making and verifying the fix.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/pages/package.json`:
- Around line 87-103: The package.json bump of minimatch in packages/pages
(minimatch ^10.2.5) didn’t propagate because pnpm-lock.yaml still resolves
minimatch@9.0.9; add a pnpm.overrides entry at the repo root (override minimatch
to ^10.2.5 or >=10.2.5) and then run a fresh pnpm install to regenerate
pnpm-lock.yaml so all downstream dependencies are pinned to the secure minimatch
version; reference the minimatch dependency, the packages/pages/package.json
change, the pnpm.overrides file, and the pnpm-lock.yaml when making and
verifying the fix.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 729c2e03-4223-4c2f-a141-fd3b5ef8fc83

📥 Commits

Reviewing files that changed from the base of the PR and between 9bc82e0 and bafeea9.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/pages/package.json

[briantstephan]

@coderabbitai minimatch@9.0.9 is secure according to https://nvd.nist.gov/vuln/detail/CVE-2026-27903, so I think these updates should be sufficient. Let me know if that doesn't seem correct.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for any minimatch version references in lock files
echo "=== Searching for minimatch in package-lock.json ==="
fd -g "package-lock.json" --max-depth 3 | head -5

echo "=== Searching for minimatch in yarn.lock ==="
fd -g "yarn.lock" --max-depth 3 | head -5

echo "=== Checking package.json files for minimatch ==="
rg -n "minimatch" --type json -g "package.json"

echo "=== Checking THIRD-PARTY-NOTICES for minimatch ==="
rg -n "minimatch" THIRD-PARTY-NOTICES

echo "=== Checking for brace-expansion references ==="
rg -n "brace-expansion" --type json -g "package.json"

Length of output: 1235

---

🌐 Web query:

CVE-2026-27903 minimatch vulnerability fixed version

Length of output: 11101

---

---

@briantstephan That's correct! According to the CVE-2026-27903 advisory, the patched versions are:

Range	Fixed in
>=9.0.0, <9.0.7	9.0.7
>=10.0.0, <10.2.3	10.2.3

This PR resolves both:

• The direct dependency in packages/pages/package.json is now ^10.2.5 (≥ 10.2.3 ✅)
• The transitive dependency reflected in THIRD-PARTY-NOTICES is now minimatch@9.0.9 (≥ 9.0.7 ✅)

Both versions are beyond the patched thresholds, so the updates look sufficient. 🐇