From 8f484b00b85e7a000dfdbe7c163242ee831468a5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 00:19:43 +0000 Subject: [PATCH 1/3] Bump minimatch in /webpack/webpack4-localization-plugin Bumps [minimatch](https://github.com/isaacs/minimatch) from 10.1.2 to 10.2.1. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](https://github.com/isaacs/minimatch/compare/v10.1.2...v10.2.1) --- updated-dependencies: - dependency-name: minimatch dependency-version: 10.2.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- webpack/webpack4-localization-plugin/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webpack/webpack4-localization-plugin/package.json b/webpack/webpack4-localization-plugin/package.json index 037a845b38..9624dabec7 100644 --- a/webpack/webpack4-localization-plugin/package.json +++ b/webpack/webpack4-localization-plugin/package.json @@ -60,7 +60,7 @@ "@rushstack/terminal": "workspace:*", "@types/tapable": "1.0.6", "loader-utils": "1.4.2", - "minimatch": "10.1.2" + "minimatch": "10.2.1" }, "devDependencies": { "@rushstack/heft": "workspace:*", From 6fa452b21d9141548b9184b5580aae32d65e6be8 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 19:10:25 -0800 Subject: [PATCH 2/3] Bump minimatch from 10.1.2 to 10.2.1 with changelog entries and updated lockfile (#5652) * Initial plan * Add changelog entry for minimatch bump in webpack4-localization-plugin Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com> * Run rush update and bump minimatch to 10.2.1 across all affected packages Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com> --- apps/api-extractor/package.json | 2 +- .../bump-minimatch_2026-02-20-02-51.json | 10 +++++ .../bump-minimatch_2026-02-20-02-51.json | 10 +++++ .../bump-minimatch_2026-02-20-02-51.json | 10 +++++ .../subspaces/default/common-versions.json | 2 +- .../config/subspaces/default/pnpm-lock.yaml | 40 ++++++++++++++----- .../config/subspaces/default/repo-state.json | 4 +- libraries/package-extractor/package.json | 2 +- 8 files changed, 66 insertions(+), 14 deletions(-) create mode 100644 common/changes/@microsoft/api-extractor/bump-minimatch_2026-02-20-02-51.json create mode 100644 common/changes/@rushstack/package-extractor/bump-minimatch_2026-02-20-02-51.json create mode 100644 common/changes/@rushstack/webpack4-localization-plugin/bump-minimatch_2026-02-20-02-51.json diff --git a/apps/api-extractor/package.json b/apps/api-extractor/package.json index a6338cf7e0..f4678bb4ef 100644 --- a/apps/api-extractor/package.json +++ b/apps/api-extractor/package.json @@ -70,7 +70,7 @@ "@rushstack/ts-command-line": "workspace:*", "diff": "~8.0.2", "lodash": "~4.17.23", - "minimatch": "10.1.2", + "minimatch": "10.2.1", "resolve": "~1.22.1", "semver": "~7.5.4", "source-map": "~0.6.1", diff --git a/common/changes/@microsoft/api-extractor/bump-minimatch_2026-02-20-02-51.json b/common/changes/@microsoft/api-extractor/bump-minimatch_2026-02-20-02-51.json new file mode 100644 index 0000000000..a7d88cd28d --- /dev/null +++ b/common/changes/@microsoft/api-extractor/bump-minimatch_2026-02-20-02-51.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@microsoft/api-extractor", + "comment": "Bump minimatch from 10.1.2 to 10.2.1", + "type": "patch" + } + ], + "packageName": "@microsoft/api-extractor" +} diff --git a/common/changes/@rushstack/package-extractor/bump-minimatch_2026-02-20-02-51.json b/common/changes/@rushstack/package-extractor/bump-minimatch_2026-02-20-02-51.json new file mode 100644 index 0000000000..5e488b2595 --- /dev/null +++ b/common/changes/@rushstack/package-extractor/bump-minimatch_2026-02-20-02-51.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/package-extractor", + "comment": "Bump minimatch from 10.1.2 to 10.2.1", + "type": "patch" + } + ], + "packageName": "@rushstack/package-extractor" +} diff --git a/common/changes/@rushstack/webpack4-localization-plugin/bump-minimatch_2026-02-20-02-51.json b/common/changes/@rushstack/webpack4-localization-plugin/bump-minimatch_2026-02-20-02-51.json new file mode 100644 index 0000000000..3daa06207b --- /dev/null +++ b/common/changes/@rushstack/webpack4-localization-plugin/bump-minimatch_2026-02-20-02-51.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/webpack4-localization-plugin", + "comment": "Bump minimatch from 10.1.2 to 10.2.1", + "type": "patch" + } + ], + "packageName": "@rushstack/webpack4-localization-plugin" +} diff --git a/common/config/subspaces/default/common-versions.json b/common/config/subspaces/default/common-versions.json index cb1dcad9f6..a688a847ba 100644 --- a/common/config/subspaces/default/common-versions.json +++ b/common/config/subspaces/default/common-versions.json @@ -35,7 +35,7 @@ "eslint": "~9.37.0", // Updated minimatch and its types to latest major version to resolve ReDoS vulnerability - "minimatch": "10.1.2" + "minimatch": "10.2.1" }, /** diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index 23310be4ce..b992ec346b 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -89,8 +89,8 @@ importers: specifier: ~4.17.23 version: 4.17.23 minimatch: - specifier: 10.1.2 - version: 10.1.2 + specifier: 10.2.1 + version: 10.2.1 resolve: specifier: ~1.22.1 version: 1.22.11 @@ -3956,8 +3956,8 @@ importers: specifier: ~3.8.0 version: 3.8.0 minimatch: - specifier: 10.1.2 - version: 10.1.2 + specifier: 10.2.1 + version: 10.2.1 npm-packlist: specifier: ~5.1.3 version: 5.1.3 @@ -5608,8 +5608,8 @@ importers: specifier: 1.4.2 version: 1.4.2 minimatch: - specifier: 10.1.2 - version: 10.1.2 + specifier: 10.2.1 + version: 10.2.1 devDependencies: '@rushstack/heft': specifier: workspace:* @@ -11186,6 +11186,10 @@ packages: balanced-match@1.0.2: resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} + balanced-match@4.0.3: + resolution: {integrity: sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==} + engines: {node: 20 || >=22} + base64-js@1.5.1: resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==} @@ -11289,6 +11293,10 @@ packages: brace-expansion@2.0.2: resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==} + brace-expansion@5.0.2: + resolution: {integrity: sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==} + engines: {node: 20 || >=22} + braces@2.3.2: resolution: {integrity: sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==} engines: {node: '>=0.10.0'} @@ -15153,6 +15161,10 @@ packages: resolution: {integrity: sha512-fu656aJ0n2kcXwsnwnv9g24tkU5uSmOlTjd6WyyaKm2Z+h1qmY6bAjrcaIxF/BslFqbZ8UBtbJi7KgQOZD2PTw==} engines: {node: 20 || >=22} + minimatch@10.2.1: + resolution: {integrity: sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==} + engines: {node: 20 || >=22} + minimatch@3.1.2: resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==} @@ -26180,7 +26192,7 @@ snapshots: '@types/minimatch@6.0.0': dependencies: - minimatch: 10.1.2 + minimatch: 10.2.1 '@types/mocha@10.0.6': {} @@ -27861,6 +27873,8 @@ snapshots: balanced-match@1.0.2: {} + balanced-match@4.0.3: {} + base64-js@1.5.1: {} base@0.11.2: @@ -28013,6 +28027,10 @@ snapshots: dependencies: balanced-match: 1.0.2 + brace-expansion@5.0.2: + dependencies: + balanced-match: 4.0.3 + braces@2.3.2: dependencies: arr-flatten: 1.1.0 @@ -30127,7 +30145,7 @@ snapshots: eslint@8.57.1: dependencies: - '@eslint-community/eslint-utils': 4.9.1(eslint@8.57.1) + '@eslint-community/eslint-utils': 4.9.1(eslint@9.37.0) '@eslint-community/regexpp': 4.12.2 '@eslint/eslintrc': 2.1.4 '@eslint/js': 8.57.1 @@ -31136,7 +31154,7 @@ snapshots: dependencies: foreground-child: 3.3.1 jackspeak: 4.1.1 - minimatch: 10.1.2 + minimatch: 10.2.1 minipass: 7.1.2 package-json-from-dist: 1.0.1 path-scurry: 2.0.1 @@ -33267,6 +33285,10 @@ snapshots: dependencies: '@isaacs/brace-expansion': 5.0.1 + minimatch@10.2.1: + dependencies: + brace-expansion: 5.0.2 + minimatch@3.1.2: dependencies: brace-expansion: 1.1.12 diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index e0aab37184..9b13d6b9d1 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "a97a152eec27dd54ce31e3973f851f572c326c76", - "preferredVersionsHash": "9ba05fe872434900a0b29c308a94015078f37c47" + "pnpmShrinkwrapHash": "425296840bc63395649600913e66041583bdc287", + "preferredVersionsHash": "93bf435032db8da4a18734f1eaa359c12ad147c1" } diff --git a/libraries/package-extractor/package.json b/libraries/package-extractor/package.json index e9ce4e45b8..fdd41e9e8a 100644 --- a/libraries/package-extractor/package.json +++ b/libraries/package-extractor/package.json @@ -46,7 +46,7 @@ "@rushstack/ts-command-line": "workspace:*", "ignore": "~5.1.6", "jszip": "~3.8.0", - "minimatch": "10.1.2", + "minimatch": "10.2.1", "npm-packlist": "~5.1.3", "semver": "~7.5.4" }, From 1ccb5d8ef544fd9c8e84d1a57ba0ea724c146be2 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 19:58:28 -0800 Subject: [PATCH 3/3] =?UTF-8?q?Fix=20build-tests-subspace=20lockfile=20out?= =?UTF-8?q?=20of=20date=20after=20minimatch=2010.1.2=20=E2=86=92=2010.2.1?= =?UTF-8?q?=20bump=20(#5653)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Initial plan * Fix build-tests-subspace lockfile for minimatch 10.2.1 upgrade Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: iclanton <5010588+iclanton@users.noreply.github.com> --- .../build-tests-subspace/pnpm-lock.yaml | 26 +++++++++++++++++-- .../build-tests-subspace/repo-state.json | 4 +-- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml index 20a003826b..cf41ad60f8 100644 --- a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml +++ b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml @@ -1348,6 +1348,10 @@ packages: balanced-match@1.0.2: resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} + balanced-match@4.0.3: + resolution: {integrity: sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==} + engines: {node: 20 || >=22} + base64-js@1.5.1: resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==} @@ -1374,6 +1378,10 @@ packages: brace-expansion@2.0.2: resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==} + brace-expansion@5.0.2: + resolution: {integrity: sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==} + engines: {node: 20 || >=22} + braces@3.0.3: resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} engines: {node: '>=8'} @@ -2679,6 +2687,10 @@ packages: resolution: {integrity: sha512-fu656aJ0n2kcXwsnwnv9g24tkU5uSmOlTjd6WyyaKm2Z+h1qmY6bAjrcaIxF/BslFqbZ8UBtbJi7KgQOZD2PTw==} engines: {node: 20 || >=22} + minimatch@10.2.1: + resolution: {integrity: sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==} + engines: {node: 20 || >=22} + minimatch@3.1.2: resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==} @@ -4171,7 +4183,7 @@ snapshots: '@rushstack/ts-command-line': file:../../../libraries/ts-command-line(@types/node@20.17.19) diff: 8.0.3 lodash: 4.17.23 - minimatch: 10.1.2 + minimatch: 10.2.1 resolve: 1.22.11 semver: 7.5.4 source-map: 0.6.1 @@ -4766,7 +4778,7 @@ snapshots: '@rushstack/ts-command-line': file:../../../libraries/ts-command-line(@types/node@20.17.19) ignore: 5.1.9 jszip: 3.8.0 - minimatch: 10.1.2 + minimatch: 10.2.1 npm-packlist: 5.1.3 semver: 7.5.4 transitivePeerDependencies: @@ -5465,6 +5477,8 @@ snapshots: balanced-match@1.0.2: {} + balanced-match@4.0.3: {} + base64-js@1.5.1: {} baseline-browser-mapping@2.9.18: {} @@ -5495,6 +5509,10 @@ snapshots: dependencies: balanced-match: 1.0.2 + brace-expansion@5.0.2: + dependencies: + balanced-match: 4.0.3 + braces@3.0.3: dependencies: fill-range: 7.1.1 @@ -7238,6 +7256,10 @@ snapshots: dependencies: '@isaacs/brace-expansion': 5.0.1 + minimatch@10.2.1: + dependencies: + brace-expansion: 5.0.2 + minimatch@3.1.2: dependencies: brace-expansion: 1.1.12 diff --git a/common/config/subspaces/build-tests-subspace/repo-state.json b/common/config/subspaces/build-tests-subspace/repo-state.json index f7bbb31d01..6319011810 100644 --- a/common/config/subspaces/build-tests-subspace/repo-state.json +++ b/common/config/subspaces/build-tests-subspace/repo-state.json @@ -1,6 +1,6 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "2e83a5ce6283e922a1f2904047c3b52f6323a37c", + "pnpmShrinkwrapHash": "970749d264e69bf8ff6a9fb6007b379832c9ac09", "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9", - "packageJsonInjectedDependenciesHash": "4efa246b20efc7e2e5b0a203952794918e1358d3" + "packageJsonInjectedDependenciesHash": "0124c511e290517bf309935112b2dbab981575bb" }