chore(deps): override minimatch + brace-expansion to clear ReDoS advisories

[gkriegspeedbay]

What

Adds npm overrides forcing minimatch → ^3.1.5 and brace-expansion → ^1.1.13, clearing the ReDoS advisories npm audit reports against the lockfile.

Why

The lockfile resolves several copies of minimatch@3.1.2 and brace-expansion@1.1.12:

• minimatch — GHSA-3ppc-4f35-3m26 / GHSA-7r86-cg39-jmmj / GHSA-23c5-xmqv-rm74 (high)
• brace-expansion — GHSA-f886-m6hf-6m8v (moderate)

Most copies satisfy a caret range and could update on their own, but serve-handler@6.1.6 (via md-to-pdf) hard-pins minimatch: "3.1.2" exactly, so that copy only moves with an override.

Safety

Both are same-major patch bumps — no API change:

• glob@7 uses require('minimatch').Minimatch / .GLOBSTAR / .makeRe / .match (all 3.x-native).
• readdir-glob (pinned ^3.1.5, down from 5.x) uses only new Minimatch() + .match(), identical across 3.x and 5.x.

Verification

With the overrides applied, all 9 minimatch copies resolve to 3.1.5; npm audit no longer reports the minimatch or brace-expansion advisories (43 → 40 total); the project builds; and exceljs xlsx + csv round-trips pass.

Summary by CodeRabbit

• Chores
  • Updated dependency version pinning for project stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 57a3c510-5f69-4cee-8e51-d19cec34d0f5

📥 Commits

Reviewing files that changed from the base of the PR and between 7a9b2ff and 6177871.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

Adds a top-level overrides section to package.json that pins the resolved versions of minimatch to ^3.1.5 and brace-expansion to ^1.1.13 using npm's dependency override mechanism.

Changes

Dependency Version Pinning

Layer / File(s)	Summary
npm overrides for minimatch and brace-expansion package.json	Introduces a new overrides object that forces minimatch to resolve at ^3.1.5 and brace-expansion at ^1.1.13 across the entire dependency tree.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 Hop, hop, a version pinned tight,
minimatch kept at just the right height,
brace-expansion locked neat and secure,
The lockfile now tidy and pure.
This bunny approves — the deps are right! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding dependency overrides for minimatch and brace-expansion to resolve ReDoS security advisories.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}