Bumping minimatch *10* to *10.1.2* to avoid dependencies with critical vulnerabilities

[andrewgaun]

Updating the minimum minimatch 10 version to 10.1.2 which updates a dependency with a critical vulnerabilities.

PS Sorry about recreating this PR three times 😞

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ @isaacs/brace-expansion has Uncontrolled Resource      │
│                     │ Consumption                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @isaacs/brace-expansion                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=5.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.0.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>neostandard>eslint-plugin-import-                    │
│                     │ x>minimatch>@isaacs/brace-expansion                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-7h2j-956f-4vf2      │
└─────────────────────┴────────────────────────────────────────────────────────┘

---

Important

Update minimatch to ^10.1.2 in package.json to fix a critical vulnerability in @isaacs/brace-expansion.

• Dependencies:
  • Update minimatch version in package.json from ^10.0.1 to ^10.1.2 to address a critical vulnerability in @isaacs/brace-expansion.
• Changeset:
  • Add .changeset/clever-terms-retire.md to document the dependency update and its purpose.

^{This description was created by for ad34071. You can customize this summary. It will automatically update as commits are pushed.}

Summary by CodeRabbit

• Bug Fixes
  • Addressed a critical security vulnerability by updating the minimatch dependency to version 10.1.2. This patch release resolves a known issue in an underlying package, strengthening application security, reducing exposure to potential exploits, and improving overall safety for users. No public APIs or exported interfaces were changed.

[changeset-bot]

🦋 Changeset detected

Latest commit: 61d2d12

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
eslint-plugin-import-x	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to ad34071 in 9 seconds. Click for details.

• Reviewed 26 lines of code in 2 files
• Skipped 1 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_QuoV5jFYXNwTemsu

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

📝 Walkthrough

Walkthrough

A changeset entry and a package.json dependency update that bumps minimatch to ^10.1.2 to address a vulnerability in the @isaacs/brace-expansion dependency (GHSA-7h2j-956f-4vf2).

Changes

Cohort / File(s)	Summary
Changeset & Manifest /.changeset/clever-terms-retire.md, package.json	Adds a changeset and updates the minimatch dependency constraint from `^9.0.3

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• fix: allow minimatch 9 or 10 #276: Modifies the same minimatch dependency range to include compatible 9.x/10.x versions.

Suggested reviewers

• JounQin

Poem

🐰 A tiny hop to patch the seam,
Minimatch patched, secure the stream,
Brace-expansion tucked away,
This rabbit cheers for safer day,
🍃🔧✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: bumping minimatch version 10 to 10.1.2 to address a critical vulnerability, which aligns with the changeset and package.json modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 84: The package.json dependency for "minimatch" incorrectly references a
non-existent version and may pull a vulnerable `@isaacs/brace-expansion`; update
the "minimatch" version constraint to a published release that transitively
depends on `@isaacs/brace-expansion` >= 5.0.1 (e.g., change the constraint to the
latest 10.0.3 or a safe range) or add a package-manager specific override/patch
(npm overrides, yarn resolutions, or pnpm overrides) to force
`@isaacs/brace-expansion`@>=5.0.1; modify the entry for "minimatch" and add the
override/resolution block in package.json so the dependency tree no longer
includes `@isaacs/brace-expansion`@5.0.0.

[SukkaW]

I have approved the workflow to run. If all tests passed, then it should be OK to merge.

[SukkaW]

Since the CI failed, I am blocking the PR.

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[andrewgaun]

First time using yarn 😅

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/eslint-plugin-import-x@450

commit: 61d2d12

[50bbx]

The update should go to version 10.2.1 because of CVE-2026-26996

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint@​8.56.0
	simple-git-hooks@​2.13.0
	jest@​30.0.3
	nano-staged@​0.8.0
	typescript-eslint@​8.35.0
	yarn-berry-deduplicate@​6.1.3
	premove@​4.0.0
	lodash@​4.17.21
	stable-hash-x@​0.2.0
	tmp@​0.2.5
	tinyexec@​1.0.1
	ts-node@​10.9.2
	klaw-sync@​7.0.0
	path-serializer@​0.5.0
	redux@​5.0.1
	npm-run-all2@​8.0.4
	@​eslint/​js@​8.56.0
	tsdown@​0.12.9
	unrs-resolver@​1.9.2
	prettier@​3.6.1

View full report

[andrewgaun]

@SukkaW sorry about the back and forth. Never used yarn before and forgot to update the lock file before the original request 😅