fix: add picomatch overrides for GHSA-c2c7-rcm5-vvqj

[Copilot]

ReDoS vulnerability in picomatch ≤2.3.1 and 4.0.0–4.0.3 (CVSS 7.5) allows CPU exhaustion via crafted extglob patterns.

The lockfile already resolves to patched versions. This adds npm overrides to prevent regression on future installs:

"overrides": {
  "picomatch@2": ">=2.3.2",
  "picomatch@4": ">=4.0.4"
}

• picomatch@2 consumers: anymatch, micromatch
• picomatch@4 consumers: jest-haste-map, jest-util, tinyglobby

Follows existing override pattern for minimatch and test-exclude.

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.66%	82.77%	📈 +0.11%
Statements	82.32%	82.42%	📈 +0.10%
Functions	81.44%	81.44%	➡️ +0.00%
Branches	75.97%	76.03%	📈 +0.06%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	85.4% → 85.8% (+0.43%)	84.9% → 85.3% (+0.42%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Adds npm overrides to ensure vulnerable picomatch versions can’t be reintroduced via transitive dependency resolution (GHSA-c2c7-rcm5-vvqj), aligning with the repo’s existing override-based mitigation approach.

Changes:

• Add overrides entries to force patched picomatch versions for major lines 2 and 4.
• Keep lockfile already-resolved patched versions from regressing on future installs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1446 · ◷

[github-actions]

🔮 Oracle smoke test report
PR titles: fix: copy get-claude-key.sh to chroot-accessible path | feat: add volume mount for ~/.copilot/session-state to persist events.jsonl
GitHub MCP review (last 2 merged): ✅
safeinputs-gh PR query: ❌
Playwright github.com title check: ❌
Tavily search result returned: ❌
File write + bash cat verify: ✅
Discussion query + mystical discussion comment: ❌
AWF build (npm ci && npm run build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

Warning

⚠️ Firewall blocked 5 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• api.github.com
• chatgpt.com
• github.com
• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "api.github.com"
    - "chatgpt.com"
    - "github.com"
    - "registry.npmjs.org"

See Network Configuration for more information.

[Mossaka]

@copilot please fix the audit pipeline failure:

# npm audit report

brace-expansion  4.0.0 - 5.0.4
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/brace-expansion

handlebars  4.0.0 - 4.7.8
Severity: critical
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block - https://github.com/advisories/GHSA-3mfm-83xf-c92r
Handlebars.js has JavaScript Injection via AST Type Confusion - https://github.com/advisories/GHSA-2w6w-674q-4c4q
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection - https://github.com/advisories/GHSA-2qvq-rjwj-gvw9
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry - https://github.com/advisories/GHSA-7rx3-28cr-v5wh
Handlebars.js has a Property Access Validation Bypass in container.lookup - https://github.com/advisories/GHSA-442j-39wm-28r2
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options - https://github.com/advisories/GHSA-xjpj-3mr7-gcpf
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial - https://github.com/advisories/GHSA-xhpv-hc6g-r9c6
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation - https://github.com/advisories/GHSA-9cx6-37pm-9jff
fix available via `npm audit fix`
node_modules/handlebars

2 vulnerabilities (1 moderate, 1 critical)

To address all issues, run:
  npm audit fix

https://github.com/github/gh-aw-firewall/actions/runs/23579310716/job/69390699111?pr=1446