fix(deps): fix vulnerabilities on Picomatch

[timoa]

Description

Fix Vulnerabilities on packages that use Picomatch

Type of change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that changes existing behaviour)
• Documentation update
• Refactor/code quality improvement
• Dependency update

Checklist

Code quality

• My commit messages follow Conventional Commits (e.g. feat:, fix:, docs:, chore:)
• I have not introduced any TypeScript types without justification
• I have not left debug code, console.log, or commented-out blocks

Testing

• I have tested the changes locally by pressing F5 in VSCode to launch the Extension Development Host
• I have run pnpm test, and all tests pass
• I have run pnpm lint, and there are no lint errors
• I have added or updated tests to cover my changes (if applicable)

Build & compatibility

• I have run pnpm run compile and pnpm run webpack without errors
• The extension works in VSCode (and ideally Cursor/Windsurf)

Documentation

• I have updated the README.md if my change adds a new feature, keyboard shortcut, or changes existing behaviour
• I have updated or added JSDoc comments for non-obvious logic (if applicable)

Screenshots/recordings

Summary by CodeRabbit

• Chores
  • Updated package dependencies (yaml, mocha, vite) and dependency overrides for compatibility
  • Enhanced version control and build artifact configuration

[coderabbitai]

📝 Walkthrough

Walkthrough

The .gitignore file now explicitly ignores VSCode settings and media build artifacts. Dependency versions updated for yaml, mocha, and vite. Pnpm.overrides expanded to pin transitive dependencies and security patches across the picomatch ecosystem and related packages.

Changes

Cohort / File(s)	Summary
Build Configuration .gitignore	Added ignore patterns for .vscode/settings.json and media build artifacts (main.js, main.js.map), replacing a prior rule for the VSCode settings path.
Dependencies & Overrides package.json	Updated direct dependencies: yaml (2.8.2→2.8.3), mocha (^10.8.2→^11.7.5), vite (7.3.1→7.3.2). Enhanced pnpm.overrides with pinned versions for serialize-javascript (≥7.0.5), flatted (≥3.4.2), added transitive picomatch constraints across anymatch, readdirp, micromatch, tinyglobby, vite, vitest, and new overrides for mocha>diff and @textlint/linter-formatter>lodash.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• fix(deps): fix vulnerabilities in rollup, minimatch & serialize-javascript #70: Updates pnpm.overrides to bump vulnerable transitive dependencies including serialize-javascript.
• fix(deps): fix deps vulnerabilities (flatted, undici, etc.) #111: Modifies pnpm.overrides to address dependency vulnerabilities, specifically the flatted constraint.
• fix(deps): pin versions of all GitHub Actions workflows and NPM packages #73: Modifies package.json dependency and version constraints with multiple package pins and upgrades.

Suggested labels

dependencies

Poem

🐰 Hopping through deps with careful paw,
Security patches without a flaw,
Picomatch pinned from root to tree,
Transitive bonds now safe and free!
One bounce forward, versions true.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(deps): fix vulnerabilities on Picomatch' clearly describes the main change: fixing dependency vulnerabilities related to Picomatch through dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description follows the required template structure with all major sections present: Description, Type of change (correctly marked as Dependency update), and Checklist. The description clearly states the purpose (Fix Vulnerabilities on packages that use Picomatch) and is not vague or off-topic.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/deps-vulnerabilities-picomatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🩺 React Doctor

react-doctor v0.0.31

�[32m✔�[39m Select projects to scan �[2m›�[22m workflow-visual-editor
�[33mNo feature branch or uncommitted changes detected. Running full scan.�[39m

�[2mScanning /home/runner/work/workflow-editor/workflow-editor...�[22m


�[31mFailed to parse oxlint output: Failed to parse oxlint configuration file.

  �[38;2;225;80;80;1m�[0m �[38;2;225;80;80;1mRule 'no-noninteractive-element-interactions' not found in plugin 'jsx_a11y'�[0m�[39m
�[33mNo issues detected, but lint checks failed — results are incomplete.�[39m

  React Doctor �[2m(www.react.doctor)�[22m

�[2m  Score not shown — some checks could not complete.�[22m

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.13%. Comparing base (a405b0d) to head (6c2a0e9).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #121   +/-   ##
=======================================
  Coverage   94.13%   94.13%           
=======================================
  Files          10       10           
  Lines         290      290           
  Branches      105      105           
=======================================
  Hits          273      273           
  Misses          1        1           
  Partials       16       16           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[timoa-bot]

🎉 This PR is included in version 1.2.43 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀