From f2fc3f51a3323f6c02a14ca8866cf5f32b660703 Mon Sep 17 00:00:00 2001
From: yvanzo <yvanzo@metabrainz.org>
Date: Mon, 7 Nov 2022 06:55:05 +0000
Subject: [PATCH] SEC-900: Upgrade nodemon to use fixed minimatch

For website rendering nodemon@2.0.19 was used, which depends on
vulnerable minimatch@3.0.4 (CVE-2022-3517). Even though it seems
unlikely that it might affect the MusicBrainz website, upgrading to
nodemon@2.0.20 makes it use the fixed minimatch@3.1.2 instead.

Note: Other dependencies to minimatch@3.0.4 are used in a development
context only (even glob@7.0.0 via @babel/cli@7.14.8 and shelljs@0.8.5).
---
 package.json |  2 +-
 yarn.lock    | 17 ++++++++++++-----
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/package.json b/package.json
index e1676c6ddc9..e4b13e9f1cf 100644
--- a/package.json
+++ b/package.json
@@ -49,7 +49,7 @@
     "less-plugin-clean-css": "1.5.1",
     "leven": "2.0.0",
     "mutate-cow": "4.1.1",
-    "nodemon": "2.0.19",
+    "nodemon": "2.0.20",
     "pg": "8.3.3",
     "pg-cursor": "2.3.3",
     "po2json": "0.4.1",
diff --git a/yarn.lock b/yarn.lock
index 0027f92812b..4b42366cb91 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4029,6 +4029,13 @@ minimatch@^3.0.4:
   dependencies:
     brace-expansion "^1.1.7"
 
+minimatch@^3.1.2:
+  version "3.1.2"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
+  integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
+  dependencies:
+    brace-expansion "^1.1.7"
+
 minimist@1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.0.tgz#a35008b20f41383eec1fb914f4cd5df79a264284"
@@ -4139,15 +4146,15 @@ node-releases@^1.1.73:
   resolved "https://registry.yarnpkg.com/node-releases/-/node-releases-1.1.74.tgz#e5866488080ebaa70a93b91144ccde06f3c3463e"
   integrity sha512-caJBVempXZPepZoZAPCWRTNxYQ+xtG/KAi4ozTA5A+nJ7IU+kLQCbqaUjb5Rwy14M9upBWiQ4NutcmW04LJSRw==
 
-nodemon@2.0.19:
-  version "2.0.19"
-  resolved "https://registry.yarnpkg.com/nodemon/-/nodemon-2.0.19.tgz#cac175f74b9cb8b57e770d47841995eebe4488bd"
-  integrity sha512-4pv1f2bMDj0Eeg/MhGqxrtveeQ5/G/UVe9iO6uTZzjnRluSA4PVWf8CW99LUPwGB3eNIA7zUFoP77YuI7hOc0A==
+nodemon@2.0.20:
+  version "2.0.20"
+  resolved "https://registry.yarnpkg.com/nodemon/-/nodemon-2.0.20.tgz#e3537de768a492e8d74da5c5813cb0c7486fc701"
+  integrity sha512-Km2mWHKKY5GzRg6i1j5OxOHQtuvVsgskLfigG25yTtbyfRGn/GNvIbRyOf1PSCKJ2aT/58TiuUsuOU5UToVViw==
   dependencies:
     chokidar "^3.5.2"
     debug "^3.2.7"
     ignore-by-default "^1.0.1"
-    minimatch "^3.0.4"
+    minimatch "^3.1.2"
     pstree.remy "^1.1.8"
     semver "^5.7.1"
     simple-update-notifier "^1.0.7"