Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is kicking off a free Cloud Agent to fix this issue. This run is complimentary, but you can enable autofix for all future PRs in the Cursor dashboard.
| minimatch@9.0.5: | ||
| dependencies: | ||
| brace-expansion: 2.0.2 | ||
| brace-expansion: 5.0.3 |
There was a problem hiding this comment.
Minimatch brace-expansion upgrade may alter glob behavior
Medium Severity
minimatch@9.0.6 now depends on brace-expansion@5.0.3 instead of brace-expansion@2.0.2 used by prior minimatch 9.x. That spans three major versions of brace-expansion, which can change how brace patterns like *.{js,ts} or src/{a,b}/file are expanded. This may affect glob matching used by editorconfig, mocha, glob@10, @typescript-eslint/typescript-estree, and @tufjs/models—e.g. in .editorconfig sections, test discovery, or config path patterns.
Additional Locations (1)
There was a problem hiding this comment.
Bugbot Autofix determined this is a false positive.
Comparing minimatch 9.0.5 and 9.0.6 across brace-heavy glob patterns used by this repository showed no matching differences, so no code change is required.
This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.


🚀 Summary
A brief summary of what this PR changes.
📌 Related issues
💡 Additional information
Optional: Notes on decisions, edge cases, or anything helpful for reviewers.
Note
Medium Risk
Lockfile-only dependency bumps (notably
rollup/webpackand their plugin ecosystems) can change build/test output across packages despite no code changes. Added version overrides may also affect downstream resolution behavior across the workspace.Overview
Updates workspace dependency resolution and lockfile to newer versions across the toolchain, including
rollup4.52.4 → 4.59.0 andwebpack5.101.1 → 5.105.2, plus associated loaders/plugins.Adjusts pnpm
overridesinpnpm-workspace.yaml/pnpm-lock.yamlto pin ranges fordiff@^7,minimatch@^9, andqs@^6, and refreshes numerous transitive packages accordingly.Written by Cursor Bugbot for commit 489ce0f. This will update automatically on new commits. Configure here.