chore: update minimatch

[benlife5]

https://yext.atlassian.net/browse/VULN-42320

[coderabbitai]

Walkthrough

This pull request updates development and tooling metadata. In packages/pages/package.json the devDependency minimatch is bumped (from ^9.0.3 to ^10.2.2) and the devDependency @types/minimatch is removed. The THIRD-PARTY-NOTICES file is edited to update a listed minimatch version (9.0.3 → 9.0.5). The repository lint-staged configuration is adjusted to exclude THIRD-PARTY-NOTICES from the oxfmt formatter.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: updating the minimatch dependency.
Description check	✅ Passed	The description references a JIRA vulnerability issue (VULN-42320), which relates to the minimatch update in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-minimatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/pages/package.json`:
- Line 103: Remove the redundant `@types/minimatch` entry from lockfiles and
package manifests (it conflicts with minimatch v10's built-in types) and run a
fresh install to update lockfile; then audit imports (e.g., the test file
packages/pages/src/common/src/function/internal/getFunctionFilepaths.test.ts and
any other modules) to ensure minimatch is only imported using ESM-style imports
(import { minimatch }) and not required via CommonJS, and if any CommonJS
consumers remain or you're constrained to CJS, either pin brace-expansion to a
compatible non-ESM version or add a dependency resolution/override to force a
compatible brace-expansion version so minimatch@10 works in your environment.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bc4627a and 5abfdd6.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/pages/package.json

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 55: Replace the undocumented negation prefix used in package.json
("!**/THIRD-PARTY-NOTICES") with the documented micromatch extglob form
"!(**/THIRD-PARTY-NOTICES)" in the lint-staged config; update the pattern string
in the package.json entry so lint-staged sees the extglob negation, and verify
that the change in path structure (presence of a slash) does not inadvertently
disable matchBase behavior—if you need basename matching instead of full-path
matching, adjust the pattern accordingly (e.g., remove the slash or use an
alternate glob) to preserve original matching semantics.

In `@THIRD-PARTY-NOTICES`:
- Around line 8722-8725: THIRD-PARTY-NOTICES currently lists minimatch@9.0.5 but
package.json and the lockfile resolve to minimatch@10.2.2; regenerate the
THIRD-PARTY-NOTICES file from the project's lockfile (e.g., package-lock.json /
yarn.lock / pnpm-lock.yaml) or rerun the license-notice generation script used
in this repo so the entry for minimatch (and any other packages) matches the
resolved versions in the lockfile and the package.json specification.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5abfdd6 and 1551211.

📒 Files selected for processing (2)

• THIRD-PARTY-NOTICES
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for any other lint-staged configurations in the codebase
fd -t f "package.json" | head -20 | xargs grep -l "lint-staged" | while read f; do
  echo "=== $f ==="
  grep -A 10 '"lint-staged"' "$f" || true
done

Repository: yext/pages

Length of output: 594

---

🌐 Web query:

lint-staged negation patterns glob config keys documentation

💡 Result:

In lint-staged, the configuration object keys are glob patterns (matched with micromatch), and the values are the command(s) to run for files that match each glob. [1]

Negation patterns you can use as config keys

Because lint-staged uses micromatch, you can use negation / extglob patterns directly in the key to exclude files and avoid overlapping rules, e.g.: [1][2]

{
  "!(*.ts)": "prettier --write",
  "*.ts": ["eslint --fix", "prettier --write"]
}

Other documented negation examples in lint-staged include: [1]

• !(*test).js → match *.js except files ending in test.js
• !(*.css|*.js|*.jsx) → match everything except those extensions

How matching behaves (important for writing negations)

lint-staged notes that when your glob has no /, micromatch enables matchBase, so patterns like *.js (and negated variants like !(*test).js) match by basename anywhere in the repo. [1]

Sources: lint-staged README (Configuration / Filtering files) [1], micromatch README (negation + extglobs) [2].

---

Use documented extglob syntax for negation patterns: replace "!**/THIRD-PARTY-NOTICES" with "!(**/THIRD-PARTY-NOTICES)".

The pattern syntax used here diverges from lint-staged's documented approach. Official lint-staged documentation (via micromatch) shows negation patterns using extglob syntax—e.g., "!(*.ts)", "!(*test).js"—not the !prefix form used here. While ! prefix negation is a common glob convention, it is not the documented pattern style for lint-staged config keys, and using undocumented syntax risks incompatibility or unexpected behavior.

Additionally, the transition from "*" to "!**/THIRD-PARTY-NOTICES" changes pattern matching behavior: the original pattern (no slashes) enabled micromatch's matchBase option and matched all staged files by basename; the new pattern contains /, disabling matchBase, and now relies on full-path matching. Ensure this behavioral shift aligns with the intended behavior.

Use the documented extglob form instead:

🔍 Suggested fix using documented extglob negation

-    "!**/THIRD-PARTY-NOTICES": "oxfmt",
+    "!(**/THIRD-PARTY-NOTICES)": "oxfmt",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"!**/THIRD-PARTY-NOTICES": "oxfmt",
	"!(**/THIRD-PARTY-NOTICES)": "oxfmt",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 55, Replace the undocumented negation prefix used in
package.json ("!**/THIRD-PARTY-NOTICES") with the documented micromatch extglob
form "!(**/THIRD-PARTY-NOTICES)" in the lint-staged config; update the pattern
string in the package.json entry so lint-staged sees the extglob negation, and
verify that the change in path structure (presence of a slash) does not
inadvertently disable matchBase behavior—if you need basename matching instead
of full-path matching, adjust the pattern accordingly (e.g., remove the slash or
use an alternate glob) to preserve original matching semantics.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Check package.json for minimatch dependency
echo "=== package.json ==="
rg -n '"minimatch"\s*:' -g 'package.json' . --max-count=5

echo -e "\n=== Lockfiles ==="
# Check lockfiles for resolved minimatch version
rg -n 'minimatch@' -g 'pnpm-lock.yaml' -g 'package-lock.json' -g 'yarn.lock' . | head -20

echo -e "\n=== THIRD-PARTY-NOTICES ==="
# Check THIRD-PARTY-NOTICES for listed version
rg -n 'minimatch@' THIRD-PARTY-NOTICES

Repository: yext/pages

Length of output: 559

---

Regenerate THIRD-PARTY-NOTICES to reflect the correct minimatch version.

Line 8724 lists minimatch@9.0.5, but package.json specifies ^10.2.2 which resolves to 10.2.2 in the lockfile. THIRD-PARTY-NOTICES is out of sync with the actual resolved dependency and creates a compliance mismatch. Regenerate the file from the lockfile to ensure licenses are accurate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@THIRD-PARTY-NOTICES` around lines 8722 - 8725, THIRD-PARTY-NOTICES currently
lists minimatch@9.0.5 but package.json and the lockfile resolve to
minimatch@10.2.2; regenerate the THIRD-PARTY-NOTICES file from the project's
lockfile (e.g., package-lock.json / yarn.lock / pnpm-lock.yaml) or rerun the
license-notice generation script used in this repo so the entry for minimatch
(and any other packages) matches the resolved versions in the lockfile and the
package.json specification.

[mkilpatrick]

rabbit comments