deps(web): pin picomatch to >=4.0.4 via npm override; clears 4 dependabot alerts

Dependabot flagged four picomatch vulnerabilities in
web/package-lock.json:

  #8  GHSA-?, ReDoS via extglob quantifiers
  #9  GHSA-?, ReDoS via extglob quantifiers (related to #8)
  #10 CVE-2026-33672 / GHSA-3v7f-55p6-f55p, method injection via
      POSIX character classes (related; affecting < 2.3.2)
  #11 CVE-2026-33672 / GHSA-3v7f-55p6-f55p, method injection via
      POSIX character classes — same advisory as #10, separate
      Dependabot row because it surfaces against a second copy
      of picomatch in the dep tree

All four close on the same fix: every resolved picomatch instance
must be >= 4.0.4 (or >= 3.0.2, or >= 2.3.2 — the patch shipped on
all three release lines). Pre-fix the lockfile carried at least
two vulnerable copies:

  node_modules/picomatch                             v2.3.1  (vuln)
  node_modules/vitest/node_modules/picomatch         v4.0.3  (vuln for #11)
  node_modules/vite/node_modules/picomatch           v4.0.4  (ok)
  node_modules/tinyglobby/node_modules/picomatch     v4.0.4  (ok)

Reachability check before fixing:

  - picomatch is a build-time glob-matching tool (used by
    tailwindcss → readdirp/anymatch/micromatch chain, plus by
    vite + vitest internals).
  - All instances in our tree are dev=true. None are bundled into
    the React production output (web/dist/assets/*.js) — that's
    just the React SPA, no node_modules at runtime.
  - The CVE only affects code that processes UNTRUSTED glob
    patterns. Our build pipeline only globs operator-controlled
    file patterns (TSX source files, Tailwind 'content' globs).
    Not network-reachable.

So the CVE was not reachable from any shipped certctl artefact.
Fix anyway because the alerts are noise.

Fix mechanism: add an npm 'overrides' entry pinning picomatch to
^4.0.4 across all consumers. npm collapses every transitive
picomatch resolution to the override, so the lockfile shrinks from
4 picomatch entries to 1, all on v4.0.4 (patched).

Verification:

  npm install --package-lock-only      → up to date, 0 vuln
  npm audit                            → found 0 vulnerabilities

Diff: 2 files, 7 insertions / 43 deletions (net negative — the
override de-duplicates the picomatch tree).

Closes: GHSA-3v7f-55p6-f55p, CVE-2026-33672 (alerts #10, #11) +
the two related ReDoS picomatch alerts (#8, #9)

web/package-lock.json

@@ -2500,13 +2500,13 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
-        "node": ">=8.6"
+        "node": ">=12"
       },
       "funding": {
         "url": "https://github.com/sponsors/jonschlinkert"
@@ -3252,19 +3252,6 @@
         }
       }
     },
-    "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/tinyrainbow": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.1.0.tgz",
@@ -3520,19 +3507,6 @@
         }
       }
     },
-    "node_modules/vite/node_modules/picomatch": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/vitest": {
       "version": "4.1.0",
       "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.0.tgz",
@@ -3615,19 +3589,6 @@
         }
       }
     },
-    "node_modules/vitest/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/w3c-xmlserializer": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",

web/package.json

@@ -30,5 +30,8 @@
     "typescript": "^5.9.3",
     "vite": "^8.0.10",
     "vitest": "^4.1.0"
+  },
+  "overrides": {
+    "picomatch": "^4.0.4"
   }
 }