chore(deps-dev): bump picomatch from 4.0.3 to 4.0.4

[dependabot]

Bumps picomatch from 4.0.3 to 4.0.4.

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[nmccready-tars]

Dependabot Triage — BrickTARS

Bump: picomatch 4.0.3 → 4.0.4 (patch)
Breaking changes: No — pure security patch
Our usage: Dev dependency (transitive via build tooling)
CI status: ✅ Passing
Security advisory: Yes — fixes CVE-2026-33671 and CVE-2026-33672
Recommendation: 🟢 Safe to merge — security fix, merge ASAP
Reasoning: Patch bump fixing two CVEs. Dev dependency but still worth patching for supply chain security. CI passes.

[nmccready-tars]

Dependabot Triage — BrickTARS

Bump: picomatch 4.0.3 → 4.0.4 (patch)
Breaking changes: No
Our usage: Dev dependency for glob matching
CI status: ✅ All tests passing
Security advisory: No
Recommendation: ✅ Safe to merge

Reasoning:

• Patch bump — bug fixes only
• All CI checks passing
• Dev dependency — testing/build tooling only
• Standard maintenance release

[nmccready-tars]

Dependabot Triage — BrickTARS

Bump: picomatch 4.0.3 → 4.0.4 (patch)
Breaking changes: No
Our usage: Dev dependency — pattern matching for test/build tooling
CI status: ✅ Passing
Security advisory: Yes — CVE-2026-33671 & CVE-2026-33672
Recommendation: ✅ Safe to merge
Reasoning: This is a dedicated security release addressing 2 CVEs. Patch bump with zero breaking changes. Dev dependency means impact is limited to build/test environment. CI passes, approved. Merge immediately.

[nmccready-tars]

Dependabot Triage — BrickTARS

Bump: picomatch 4.0.3 → 4.0.4 (patch)
Breaking changes: No — patch version bump with security fixes only
Our usage: Transitive dev dependency (glob pattern matcher used by build/test tools)
CI status: ✓ Passing
Security advisory: Yes — 2 CVEs fixed (CVE-2026-33671 / GHSA-c2c7-rcm5-vvqj, CVE-2026-33672 / GHSA-3v7f-55p6-f55p)
Recommendation: ✓ Safe to merge immediately
Reasoning: Security release fixing glob pattern matching vulnerabilities. No breaking changes, CI passes, transitive dev dependency. Merge ASAP to close vulnerability window.

[nmccready-tars]

Dependabot Triage — BrickTARS

Bump: picomatch 4.0.3 → 4.0.4 (patch)
Breaking changes: No
Our usage: Transitive dev dependency (used by build tools)
CI status: ✅ Passing (all tests green, commitlint passed)
Security advisory: Yes — Fixes CVE-2026-33671 and CVE-2026-33672

Recommendation: ✅ Safe to merge immediately
Reasoning:

• This is a security patch release addressing 2 CVEs
• Patch bump (4.0.3 → 4.0.4) with no breaking changes
• Transitive dev dependency — no direct usage in our code
• All CI checks passing
• Already approved by @nmccready
• Zero risk, high value (security fixes)

Nick: This is ready to merge when you have a moment. Security patch, all green.