Resolve security workflow failure by updating vulnerable transitive picomatch in client lockfile

[Copilot]

The security GitHub Actions run failed at npm audit --audit-level=high due to a high-severity vulnerability in transitive picomatch (4.0.0–4.0.3).
This change updates the lockfile to consume the patched transitive version and restore the audit gate.

• Scope

  • Update /client/package-lock.json only.
  • No application/runtime code changes.

• Dependency remediation

  • Bump transitive picomatch from 4.0.3 to 4.0.4 in lock resolution.
  • Addresses advisories:
    • GHSA-3v7f-55p6-f55p
    • GHSA-c2c7-rcm5-vvqj

• Why this is minimal

  • Keeps existing direct dependencies unchanged.
  • Applies the narrowest change needed for the failing security workflow path.

"node_modules/picomatch": {
-  "version": "4.0.3",
-  "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+  "version": "4.0.4",
+  "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• stun.l.google.com
  • Triggering command: /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f972a8d89f01a /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f972a8d89f01a /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.1yrl04y62wzh0f4fplg612xef.16x1zml.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.26agjqh45cgkp9c5blb9pkbrl.16x1zml.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.26qvb54v2wct018hsohk78zh7.16x1zml.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.2ivc8u2gtbvp1iko2hwqiuyne.16x1zml.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-e99f97/home/REDACTED/work/discool/discool/server/target/debug/deps/database_sqlite_in_memory-81b9bb33fccb2233.2k87s9r1xaa2or42c99ibib3j.16x1zml.rcgu.o 58c576e824.01fmmsao66rx4l0w29foirx0v.0x7qig1.rcgu.o 58c576e824.1krtj9xagm1wn3kt40xhnvlq1.0x7qig1.rcgu.o 58c576e824.1tquermh3tdxkxi2kxsywnjp4.0x7qig1.rcgu.o 58c576e824.2rrb7m6x43jlx5x0bcjeh78oq.0x7qig1.rcgu.o 58c576e824.aafo2tawzggd82at372jjc9t8.0x7qig1.rcgu.o 58c576e824.1spg1bq6vcfnmqv0red4emo67.0x7qig1.rcgu.o z.rc�� z.rcgu.o 64-REDACTED-linux-gnu/lib/libtest-b6625e5ebb842dd1.rlib 64-REDACTED-linux-gnu/lib/libgetopts-e1b6b74211ea161a.rlib 64-REDACTED-linux-gnu/lib/librustc_std_workspace_std-1333cc52a6c9d28b.rlib 0710899c956ef.rlib -7354b4efccef4986.rlib 11d8638f44a0.rlib (dns block)
  • Triggering command: /home/REDACTED/work/discool/discool/server/target/debug/discool-server /home/REDACTED/work/discool/discool/server/target/debug/discool-server /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.1i3f84twlc72d7289xk6zsccl.0gnrp90.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.1l5zpgxsib4kdcq7gliz0e6cg.0gnrp90.rcgu.o 64-REDACTED-linux-gnu/bin/rust-lld /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.28weqlkx9d27kwsxsd23h6gay.0gnrp90.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.2j731du61uqanb4faqhp8wy3q.0gnrp90.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.35fhe654bkio84xkb3bqa3apj.0gnrp90.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.38s5qj0jur39f02c7wrnczbkr.0gnrp90.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.3mipu4kk523ix69ntsn4o2g3r.0gnrp90.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance�� /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.4opl6mjstf35iwyume4axryru.0gnrp90.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/p2p_gossip_inter_instance-f48ec705fb247a0b.4rrw3fzrrmdxol21l9xqfzknt.0gnrp90.rcgu.o phUz�� debug/deps/libsy--error-format=json n-f43cf6f4615cf1--json=diagnostic-rendered-ansi,artifacts,future-incompat bin/rustc oc_macro2-42f913cc icode_ident-4e1e-m64 lib/rustlib/x86_/tmp/rustcDfbvzU/symbols.o bin/rustc (dns block)
  • Triggering command: /home/REDACTED/work/discool/discool/server/target/debug/discool-server /home/REDACTED/work/discool/discool/server/target/debug/discool-server /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0cxg9gzn4xpx57rj33ps47w1s.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0ijzzcll73t2zq5b2vo949dwf.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0rtc6mhp8496iqb0pq04dxns4.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0spkxyfsuhxy6r1gkqlc6naqy.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0sttgstr8979fmnjmapadmvky.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0ulktfwvu62u2xbeeqxp1rvox.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.0w8p9670oxg5am6ar0rtbc49v.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.12s5z8lfqda5ho8ygugq5tmhc.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd17411�� /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.14ny3zqdfy4hwxthvaslbvfjj.1to9nnz.rcgu.o /home/REDACTED/work/discool/discool/server/target/debug/deps/discool_server-120cd1741168c41d.14s001zz72xozmoh1qej8blgv.1to9nnz.rcgu.o l/se�� debug/deps/asn1_--error-format=json debug/build/mime--json=diagnostic-rendered-ansi,artifacts,future-incompat bin/rustc embed_impl-f643acc embed_impl-f643a-m64 embed_impl-f643a/tmp/rustcqOrgd3/symbols.o bin/rustc (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

• client/package-lock.json: Language not supported