fix: update minimatch to resolve CVE-2026-27903

[dannyneira]

Summary

• Updates transitive minimatch resolutions in package-lock.json to patched versions: 3.1.5 for the v3 chain and 9.0.9 for the v9 chain.
• Adds a scoped npm overrides entry for @typescript-eslint/typescript-estree -> minimatch to replace the older exact 9.0.3 transitive pin.

Vulnerabilities resolved

• CVE-2026-27903 / GHSA-7r86-cg39-jmmj: GHSA-7r86-cg39-jmmj
• Dependabot alert: https://github.com/warpdotdev/oz-agent-action/security/dependabot/9
• Dependabot alert: https://github.com/warpdotdev/oz-agent-action/security/dependabot/10

Details

• Dependency relationship: transitive development dependency.
• Manifest: package-lock.json.
• Patched targets: minimatch@3.1.3 and minimatch@9.0.7; resolved versions are 3.1.5 and 9.0.9.
• Workaround applied: scoped npm override for @typescript-eslint/typescript-estree because one older transitive dependency pinned minimatch exactly to 9.0.3.
• Dependabot error: none reported for these alerts.

Verification

• npm audit --json filtered for minimatch, CVE-2026-27903, and GHSA-7r86-cg39-jmmj returned [].
• npm run build
• npm run lint
• npm test

Co-Authored-By: Oz oz-agent@warp.dev

Conversation: https://staging.warp.dev/conversation/a6e81b97-4bd4-407d-b871-4f61589e591e
Run: https://oz.staging.warp.dev/runs/019e7ec3-8846-7f13-b9ca-17d5f8bb0cac

This PR was generated with Oz.

[myeasynote]

Sekundenschlaf