Frontend: Retire redundant minimatch override

The "minimatch@~3.0": "^3.1.3" override was added on 2026-04-27 to
force-patch the ReDoS chain when postcss-url's locked minimatch@3.0.8
was the active vulnerability. With postcss-url removed, no consumer
in the tree pins to ~3.0.x anymore — every remaining minimatch
request (^3.0.4 from babel-plugin-istanbul/test-exclude and
eslint-plugin-node, ^3.1.5 from the eslint family, ^9.0.4 / ^10.1.1
from modern tooling) resolves naturally to a patched version.

Verification: removing the override leaves the lockfile byte-identical
("up to date in 932ms"), npm audit reports zero vulnerabilities, and
all installed minimatch versions are 3.1.5 / 5.1.x / 9.0.9 / 10.2.5
(no <3.1.4 entry). Build and 1055 vitest tests pass.
This commit is contained in:
Michael Mayer 2026-05-05 10:13:03 +00:00
parent 4410269cc2
commit eb49c285d7
3 changed files with 3 additions and 6 deletions

View file

@ -40,10 +40,9 @@ Other frontend documentation lives next to this file:
`frontend/package.json` and root `package.json` declare matching `overrides`. Mirroring them keeps the npm workspace lockfile resolution consistent.
| Override | Reason |
|------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `"minimatch@~3.0": "^3.1.3"` | Forces transitive `minimatch` resolutions onto the patched 3.1.x line. Defends against the ReDoS chain (`GHSA-3ppc-4f35-3m26`, `GHSA-7r86-cg39-jmmj`, `GHSA-23c5-xmqv-rm74`). |
| `"serialize-javascript": "^7.0.5"` | Closes the `workbox-build``@rollup/plugin-terser``serialize-javascript` RCE advisory (`GHSA-5c6j-r48x-rmvq`, `GHSA-qj8w-gfj5-8c6v`). |
| Override | Reason |
|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| `"serialize-javascript": "^7.0.5"` | Closes the `workbox-build``@rollup/plugin-terser``serialize-javascript` RCE advisory (`GHSA-5c6j-r48x-rmvq`, `GHSA-qj8w-gfj5-8c6v`). |
When an upstream advisory is fully resolved, retire the override and rerun `make audit` plus a focused build/test pass before committing the cleanup.

View file

@ -137,7 +137,6 @@
"yarn": "please use npm"
},
"overrides": {
"minimatch@~3.0": "^3.1.3",
"serialize-javascript": "^7.0.5"
}
}

View file

@ -2,7 +2,6 @@
"name": "photoprism",
"private": true,
"overrides": {
"minimatch@~3.0": "^3.1.3",
"serialize-javascript": "^7.0.5"
},
"workspaces": [