[DPEDE-1784](deps): Bump picomatch from 2.3.1 to 2.3.2#1998
[DPEDE-1784](deps): Bump picomatch from 2.3.1 to 2.3.2#1998dependabot[bot] wants to merge 1 commit into
Conversation
|
The CI pipeline did not run successfully in https://jenkinsprod.corp.intranet:8443/job/UX-CHI/job/Productive/job/Chi/job/PR-1998/1/. ❌ |
Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
2c430c4 to
c091019
Compare
|
The CI pipeline did not run successfully in https://jenkinsprod.corp.intranet:8443/job/UX-CHI/job/Productive/job/Chi/job/PR-1998/2/. ❌ |
|
🔖 AiFEL verdict — 🚨 Escalate (ci-health) — human review required
TL;DR
📋 Why this route + what AiFEL checked (click to expand)Why this route?escalate because: critical CI confidence is Escalation category: Confidence breakdown — score:
What AiFEL checked
Will merging break your code?✅ Per AiFEL analysis, most likely won't impact your code. picomatch is not imported anywhere in the repo's source files, so the 2.3.1→2.3.2 security patch has no in-repo call sites to affect. Security advisories✅ Nothing still affects Both CVEs returned for picomatch target only the 4.x series (vulnerable range ✅ Resolved by the 4.0.4 bump in this PR ( Packages — what you have vs what this PR installs
Machine-readable verdict{
"schema_version": "1.1",
"classification": "patch",
"risk_band": "low",
"ci_confidence": "low",
"decision_route": "escalate",
"data_completeness": "complete",
"escalate_reason": "risk",
"missing_signals": [],
"confidence": 0.85,
"packages": [{"ecosystem": "npm", "name": "picomatch", "old_version": "2.3.1", "new_version": "2.3.2"}],
"breaking_changes": [],
"cascade_conflicts": [],
"summary": "Patch bump of picomatch 2.3.1→2.3.2; no in-repo usage, no breaking changes, no advisories affect 2.3.2. PR also upgrades picomatch 4.0.3→4.0.4, resolving GHSA-c2c7-rcm5-vvqj (CVSS 7.5) and GHSA-3v7f-55p6-f55p (CVSS 5.3). Escalated due to low CI confidence (64% pass rate, 28 critical runs).",
"upgrade_risk_note": null,
"cross_repo_signal": "standalone",
"api_usage_found": false,
"advisory_ids": [],
"max_cvss": null,
"feedback_capture_marker": "aifel-CenturyLink-Chi-1998",
"agent_version": "1.1.1-aw"
}
|
Bumps picomatch from 2.3.1 to 2.3.2.
Release notes
Sourced from picomatch's releases.
Changelog
Sourced from picomatch's changelog.
... (truncated)
Commits
81cba8dPublish 2.3.2fc1f6b6Merge commit from forkeec17aeMerge commit from fork78f8ca4Merge pull request #156 from micromatch/backport-1443f4f10eMerge pull request #144 from Jason3S/jdent-object-properties