chore: upgrade picomatch to ^4.0.4 to address CVE-2026-33671, CVE-2026-33672

[brendan-kellam]

Fixes SOU-1280
Fixes SOU-1281

Refreshes yarn.lock so all picomatch instances resolve to patched versions. The 4.x line now resolves to 4.0.4 (previously a stale ^4.0.3 requester pinned 4.0.3) and the 2.x line resolves to 2.3.2. No resolutions change was needed since the existing ranges already admit the patched versions.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Upgraded a pattern-matching dependency to improve stability and reliability, reducing crashes and addressing related issues.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ce035d50-4ea1-410b-a830-410df0876b7b

📥 Commits

Reviewing files that changed from the base of the PR and between bfb1721 and 631778e.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• CHANGELOG.md

---

Walkthrough

CHANGELOG.md records a single dependency update: picomatch upgraded to ^4.0.4 in the [Unreleased] Fixed section.

Changes

Changelog Update

Layer / File(s)	Summary
Picomatch upgrade changelog entry CHANGELOG.md	A bullet point entry is added under [Unreleased] → Fixed documenting the picomatch upgrade to ^4.0.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#1092: Both PRs involve the same picomatch dependency bump to ^4.0.4; the main PR documents it in CHANGELOG.md while the retrieved PR applies it via Yarn resolutions.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading picomatch dependency to address specific CVE vulnerabilities, which aligns perfectly with the PR's objective of fixing security issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/cve/picomatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

❌ Status: FAIL

Metric	Count
Total packages	2132
Resolved (non-standard)	19
Unresolved	1
Strong copyleft	0
Weak copyleft	38

Fail Reasons

• 1 package has an unresolvable license: element-source

Unresolved Packages

Package	Version	License	Reason
element-source	0.0.3	UNKNOWN	No repository, homepage, or readme declared on the npm registry for any published version, and no license field in any version's metadata. Nothing available to resolve against.

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (19)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo (github.com/aidenybai/react-grab) LICENSE file
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo (github.com/aidenybai/react-grab) LICENSE file
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo (github.com/aidenybai/react-grab) LICENSE file
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo (github.com/livebook-dev/codemirror-lang-elixir) LICENSE; npm registry latest also reports Apache-2.0
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo (github.com/livebook-dev/lezer-elixir) LICENSE; npm registry latest also reports Apache-2.0
map-stream	0.1.0	UNKNOWN	MIT	npm registry (later versions declare MIT) and GitHub repo (github.com/dominictarr/map-stream) LICENCE file
memorystream	0.3.1	UNKNOWN	MIT	npm registry licenses[] field {type:MIT} and GitHub repo (github.com/JSBizon/node-memorystream) LICENSE
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo (github.com/ogt/valid-url) LICENSE file states MIT license
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo (github.com/PostHog/posthog-js) LICENSE file is Apache License 2.0
pause-stream	0.0.11	["MIT","Apache2"]	MIT OR Apache-2.0	Extracted from license array in package metadata (dual MIT / Apache-2.0)
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	GitHub repo (github.com/getsentry/sentry-cli) LICENSE confirms Functional Source License 1.1, MIT Future License (source-available, not copyleft)