Fix Dependabot npm security alerts: minimatch ReDoS, serialize-javascript RCE, cookie, webpack SSRF

[Copilot]

Addresses multiple open Dependabot security alerts in transitive npm dependencies by adding targeted overrides in package.json and regenerating package-lock.json. Reduces vulnerability count from 38 → 15.

Fixed

Package	Was	Now	Vulnerability
minimatch (3.x)	3.1.2	3.1.5	ReDoS
minimatch (9.x, via jest/glob@10)	9.0.5	9.0.9	ReDoS
minimatch (10.x, via rimraf/glob@13)	10.1.1	10.2.4	ReDoS
serialize-javascript	5.0.1 / 6.0.2	7.0.4	RCE
cookie	0.5.0	0.7.2	GHSA-pxg6-pf52-xh8x
webpack	5.98.0	5.105.4	SSRF (GHSA-8fgc-7cc6-rx7x, GHSA-38r7-794h-5758)

Overrides strategy

Minimatch spans three incompatible major versions across the dependency tree. A flat override would break packages like test-exclude that call minimatch() as a function (API removed in v9+). The fix uses version-scoped glob overrides to target only the affected subtrees:

"overrides": {
  "minimatch": "^3.1.4",
  "glob@^10": { "minimatch": "^9.0.7" },
  "glob@^13": { "minimatch": "^10.2.3" }
}

Remaining (15 alerts — cannot fix without breaking gatsby)

• @parcel/reporter-dev-server@2.8.3 — exact-pinned by gatsby-parcel-config
• immutable@3.7.6 — required as ~3.7.6 by @ardatan/relay-compiler
• tmp@0.0.33 (in external-editor) — required as ^0.0.33, incompatible with patched 0.2.x API

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/morganstanley/makerspace/dependabot/alerts
  • Triggering command: /usr/bin/gh gh api /repos/morganstanley/makerspace/dependabot/alerts --jq .[] | {number: .number, state: .state, severity: .security_advisory.severity, package: .dependency.package.name, ecosystem: .dependency.package.ecosystem, summary: .security_advisory.summary, fix_available: .auto_dismissed_at, fixed_in: (.security_vulnera (http block)
  • Triggering command: /usr/bin/gh gh api /repos/morganstanley/makerspace/dependabot/alerts (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.