[Snyk] Security upgrade minimatch from 10.0.3 to 10.2.1

[rubenfiszel]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• frontend/package.json
• frontend/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-15309438

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	bcd78f1
Status:	✅  Deploy successful!
Preview URL:	https://772dcc74.windmill.pages.dev
Branch Preview URL:	https://snyk-fix-a856df98f2081e9ca6c.windmill.pages.dev

View logs

[claude]

Claude finished @rubenfiszel's task in 1m 36s —— View job

---

Review: [Snyk] Security upgrade minimatch from 10.0.3 to 10.2.1

• Analyze PR changes (package.json and package-lock.json)
• Check for breaking changes in minimatch upgrade
• Verify dependency integrity
• Provide review feedback

---

Summary

This is an automated Snyk security fix that upgrades minimatch from 10.0.3 to 10.2.1 to address a Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-MINIMATCH-15309438).

Changes

frontend/package.json: Version specifier changed from ^10.0.1 → ^10.2.1

frontend/package-lock.json:

• Resolved version: 10.0.3 → 10.2.1
• Dependency tree change: Old version used @isaacs/brace-expansion + @isaacs/balanced-match (now removed). New version uses brace-expansion@5.0.2 + balanced-match@4.0.3 (nested under node_modules/minimatch/node_modules/)
• Various unrelated peer: true / dev: true annotation changes from npm lock file regeneration (cosmetic metadata churn, no functional impact)

Code Impact

minimatch is used in exactly one place in the frontend: frontend/src/lib/utils_deployable.ts:59:

deployUiSettings.include_path.every((x) => !minimatch(path, x))

This performs glob pattern matching on workspace deploy UI settings paths. The minimatch() function API is unchanged between 10.0.x and 10.2.x — this is a semver-compatible minor upgrade.

Assessment

Area	Status
Security	Fixes ReDoS vulnerability in regex pattern matching
Breaking changes	None — semver minor bump, API is backward compatible
Performance	The ReDoS fix improves worst-case regex performance
Risk	Low — single usage site, no API changes

LGTM. This is a straightforward, low-risk security patch. The lock file diff is noisy due to npm metadata regeneration, but the actual functional change is just the minimatch version bump and its transitive dependency update.

Testing Instructions

The minimatch library is used in the workspace deploy UI settings to filter deployable items by path patterns. To verify: navigate to a workspace's settings, configure Deploy UI settings with path include patterns (glob patterns like f/*), then check that scripts/flows/apps matching those patterns are still correctly filtered in the deploy view. The behavior should be identical to before the upgrade.