Skip to content

[DPEDE-1784](deps): Bump picomatch from 2.3.1 to 2.3.2#1998

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-picomatch-2.3.2
Open

[DPEDE-1784](deps): Bump picomatch from 2.3.1 to 2.3.2#1998
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-picomatch-2.3.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 26, 2026

Copy link
Copy Markdown
Contributor

Bumps picomatch from 2.3.1 to 2.3.2.

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 26, 2026
@dependabot dependabot Bot requested a review from a team as a code owner March 26, 2026 00:25
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 26, 2026
@lumen-jenkins-prod

Copy link
Copy Markdown

The CI pipeline did not run successfully in https://jenkinsprod.corp.intranet:8443/job/UX-CHI/job/Productive/job/Chi/job/PR-1998/1/. ❌

Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot-npm_and_yarn-picomatch-2.3.2 branch from 2c430c4 to c091019 Compare March 30, 2026 21:08
@lumen-jenkins-prod

Copy link
Copy Markdown

The CI pipeline did not run successfully in https://jenkinsprod.corp.intranet:8443/job/UX-CHI/job/Productive/job/Chi/job/PR-1998/2/. ❌

@cl-aifel-test

cl-aifel-test Bot commented Jun 29, 2026

Copy link
Copy Markdown

🔖 aifel-verdict — AiFEL dependency-triage verdict (schema 1.1)

AiFEL verdict — 🚨 Escalate (ci-health) — human review required

Routine patch bump of picomatch (2.3.1→2.3.2) with no in-repo API usage; the PR also bumps picomatch 4.0.3→4.0.4 resolving two CVEs; escalated solely because repo-wide critical CI confidence is low (64% pass rate across 28 runs).

TL;DR

  • Merge: 🔍 review CI health, then merge — the dependency and security axes are clean; escalation is driven entirely by chronic CI failures on other Dependabot PRs, not this change.
  • Breaks your code? ✅ Most likely not — picomatch is not imported in your source.
  • Security? ✅ no advisories affect 2.3.2; this PR's 4.0.3→4.0.4 bump resolves GHSA-c2c7-rcm5-vvqj (CVSS 7.5) and GHSA-3v7f-55p6-f55p (CVSS 5.3).
  • Update: picomatchyou have 2.3.1, this PR installs 2.3.2 (patch, spans 1 release). Routine security patch refresh — no code impact.
Signal Value Interpretation
Bump type patch z-version increment (2.3.1→2.3.2); patch releases carry bug fixes and security back-ports with no API contract changes.
Dependency risk low Patch bump; changelog confirms security fixes only, no breaking changes. picomatch is not directly imported anywhere in the repo source (0 hits, authoritative local scan).
Security risk low No advisories affect picomatch 2.3.2. The two CVEs in scope — GHSA-c2c7-rcm5-vvqj (CVSS 7.5) and GHSA-3v7f-55p6-f55p (CVSS 5.3) — target only the 4.x series (≥4.0.0, <4.0.4); 2.3.2 is outside that range. The PR's lockfile also bumps picomatch 4.0.3→4.0.4, which is the first patched version for both advisories.
CI health risk high Critical checks: 18/28 passed (64%), flakiness 0%, 28 runs → low confidence. Failures are concentrated on other multi-package Dependabot bump PRs (e.g. npm_and_yarn in / for @babel/preset-env…); Push on master is 9/9 green. Low CI reflects the repo's Dependabot-PR health generally, not this specific change.
API usage in repo false 0 import sites found; no import/require/dynamic import() of picomatch across all scanned source files — authoritative local scan.
Cross-repo signal standalone No publishable root manifest found.
Data completeness complete All 5 signals obtained: classification, API usage, release notes, CI health, cascade.
📋 Why this route + what AiFEL checked (click to expand)

Why this route?

escalate because: critical CI confidence is low (pass rate 64% < 70% threshold) across 28 critical runs on the default branch.

Escalation category: ci-health

Confidence breakdown — score: 0.85.

  • ✅ patch bump — semver guarantees no API contract breaks

  • ✅ no in-repo usage of picomatch (0 import sites, authoritative scan of all source files)

  • ✅ no advisories affect picomatch 2.3.2 (advisory_ids: [], max_cvss: null)

  • ✅ changelog confirms security-only patch, no breaking changes

  • ✅ no cascade conflicts (no other Dependabot PRs bump picomatch to a different version)

  • ✅ complete data — all 5 signals obtained

  • ⚠️ critical CI low: 10/28 critical runs failed (64% pass rate < 70% threshold); failures are on other Dependabot multi-package bump PRs, not on Push on master (9/9 green) — this indicates the repo's CI is unhealthy for Dependabot PRs broadly, not specifically for this change

  • 💡 To reach a lower route: the root cause is failing Dependabot-PR CI runs for unrelated packages (e.g. the @babel/preset-env, commander, cypress multi-bump PRs). Fixing those flaky critical runs so the overall pass rate rises to ≥70% would raise ci_confidence to medium, dropping the route to spot_check. Note: fixing informational workflows (e.g. Dependency Submission) will NOT change the route.

What AiFEL checked

  1. Triage — classified patch (picomatch 2.3.1→2.3.2); manifest: package-lock.json (npm).
  2. Symbol extraction — none found; 0 import sites across all scanned source files.
  3. Release-notes comparator — changelog for 2.3.2 is a security patch: fixes an exception when glob patterns contain constructor and references CVE-2026-33671/CVE-2026-33672; no breaking changes in range.
  4. CI health — 28 critical runs: pass 64%, flaky 0% → confidence low; informational excluded: none.
  5. Cascade coordinator — 0 conflicts.
  6. Data completeness — obtained 5/5 signals; missing: none.

Will merging break your code?

Per AiFEL analysis, most likely won't impact your code. picomatch is not imported anywhere in the repo's source files, so the 2.3.1→2.3.2 security patch has no in-repo call sites to affect.

Security advisories

Nothing still affects 2.3.2

Both CVEs returned for picomatch target only the 4.x series (vulnerable range ≥4.0.0, <4.0.4); picomatch 2.3.2 is entirely outside that range. Additionally, this PR's lockfile upgrade of picomatch 4.0.3→4.0.4 is the first patched version for both advisories.

Resolved by the 4.0.4 bump in this PR (2): GHSA-c2c7-rcm5-vvqj (CVE-2026-33671, CVSS 7.5 high — ReDoS via extglob quantifiers in picomatch 4.x), GHSA-3v7f-55p6-f55p (CVE-2026-33672, CVSS 5.3 medium — method injection in POSIX character classes in picomatch 4.x) — no action needed; highest was CVSS 7.5.

Packages — what you have vs what this PR installs

Ecosystem Package You have This PR installs What changes for you
npm picomatch 2.3.1 2.3.2 routine security patch — no code impact; changelog fixes constructor-pattern exception and back-ports CVE fixes to the 2.x branch

Machine-readable verdict
{
  "schema_version": "1.1",
  "classification": "patch",
  "risk_band": "low",
  "ci_confidence": "low",
  "decision_route": "escalate",
  "data_completeness": "complete",
  "escalate_reason": "risk",
  "missing_signals": [],
  "confidence": 0.85,
  "packages": [{"ecosystem": "npm", "name": "picomatch", "old_version": "2.3.1", "new_version": "2.3.2"}],
  "breaking_changes": [],
  "cascade_conflicts": [],
  "summary": "Patch bump of picomatch 2.3.1→2.3.2; no in-repo usage, no breaking changes, no advisories affect 2.3.2. PR also upgrades picomatch 4.0.3→4.0.4, resolving GHSA-c2c7-rcm5-vvqj (CVSS 7.5) and GHSA-3v7f-55p6-f55p (CVSS 5.3). Escalated due to low CI confidence (64% pass rate, 28 critical runs).",
  "upgrade_risk_note": null,
  "cross_repo_signal": "standalone",
  "api_usage_found": false,
  "advisory_ids": [],
  "max_cvss": null,
  "feedback_capture_marker": "aifel-CenturyLink-Chi-1998",
  "agent_version": "1.1.1-aw"
}

🤖 Generated by AiFEL — AI-assisted Dependabot triage. Advisory only; a human reviewer still decides and merges.
📝 Share your AiFEL experience

@cl-aifel-test cl-aifel-test Bot added the aifel/escalate AiFEL: human review required (breaking change or risk) label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aifel/escalate AiFEL: human review required (breaking change or risk) dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants